[Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

Barry Warsaw barry at python.org
Thu Feb 10 15:41:05 CET 2005

There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
2.1 versions which can allow remote attackers to gain access to member
passwords under certain conditions.  The extent of the vulnerability
depends on what version of Apache you are running, and (possibly) how
you have configured your web server.  However, the flaw is in Mailman
and has been fix in CVS and will be included in the Mailman 2.1.6

This issue has been assigned CVE number CAN-2005-0202.

We currently believe that Apache 2.0 sites are not vulnerable, and that
many if not most Apache 1.3 sites are.  In any event, the safest
approach is to assume the worst and take the remediation steps indicated
below as soon as possible.

The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
executable.  This will disable all access to all private archives on
your system.  While this is the quickest and easiest way to close the
hole, it will also break all your private archives.  If all the lists on
your site only run public archives, this won't matter to you.

Until Mailman 2.1.6 is released, the longer term fix is to apply this


For additional piece of mind, it is recommended that you regenerate your
member passwords.  Instructions on how to do this, and more information
about this vulnerability are available here:


My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. 
This issue was found by Marcus Meissner.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/mailman-users/attachments/20050210/4f0f07e1/attachment.pgp 

More information about the Mailman-Users mailing list