[Mailman-Users] Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier

Axel Beckert beckert at ecos.de
Thu Feb 10 20:55:34 CET 2005


I already patched our servers yesterday after the mail on
full-disclosure about it being hacked. (See
The patch mentioned there is without doing the syslog entry, but in
general it does the same.

I just want to share my experiences with the patch:

Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
> 2.1 versions

As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
too. (As the subject of the announcement also suggested.)

> which can allow remote attackers to gain access to member passwords
> under certain conditions.

Not only to member passwords but to any file readable by the user
under which the Mailman CGI scripts are running, e.g. /etc/passwd on
many systems.

> Until Mailman 2.1.6 is released, the longer term fix is to apply
> this patch:
> 	http://www.list.org/CAN-2005-0202.txt

Which unfortunately only works with Python 2. 

Python 1 (respective at least 1.5.2) complains about syntax
errors. (Which, in fact, also helps against the vulnerability by
displaying the "You've found a Mailman bug" page. ;-)

Is there any patch which complies with Python 1 syntax? (Sorry,
although I patched some "features" in Mailman once, I'm not the
Python guy. :) 

            Kind regards, Axel Beckert
Axel Beckert      ecos electronic communication services gmbh
it security solutions * web applications with apache and perl

Mail:       Tulpenstrasse 5       D-55276 Dienheim near Mainz
E-Mail:     beckert at ecos.de       Voice:     +49 6133 939-220
WWW:        http://www.ecos.de/   Fax:       +49 6133 939-333

More information about the Mailman-Users mailing list