[Mailman-Users] any info on this reported exploit?

Diana Orrick orrick at acns.fsu.edu
Thu Jan 26 19:05:53 CET 2006


GNU Mailman Large Date Data Denial Of Service Vulnerability

GNU Mailman is prone to a denial of service attack. This issue affects the
email date parsing functionality of Mailman.

The vulnerability could be triggered by mailing list posts and will impact
the availability of mailing lists hosted by the application.
this notice was from SANS at RISK:

06.3.18 CVE: CVE-2005-4153
Platform: Unix
Title: GNU Mailman Large Date Data Denial of Service
Description: Mailman is software to help manage email discussion
lists, much like Majordomo and SmartList. The application is exposed
to a denial of service issue when it attempts to parse very large
numbers of dates contained in email messages. All current versions are
Ref: http://www.securityfocus.com/bid/16248

We are running Mailman 2.1.5 and have just found extraordinary
IO wait issues requiring shutdown|restart of Mailman.

The notice suggests all versions are vulnerable, is this the case?
If so, suggested workaround? Patch/upgrade coming?

Thanks for any info on this issue,

 Diana Mayer Orrick              email: orrick at ucs.fsu.edu
 University Computing Services          ph: (850) 644-2591
 Florida State University              fax: (850) 644-8722

More information about the Mailman-Users mailing list