[Mailman-Users] any info on this reported exploit?

Jim Popovitch jimpop at yahoo.com
Fri Jan 27 07:00:51 CET 2006

Mark Sapiro wrote:
> Jim Popovitch wrote:
>> OK, but what about the next one?   What do Mailman system admins do, wait?
> Yes, I think so. The alternative is everyone goes off half-cocked and
> you have a situation such as occurred about a year ago with the
> CAN-2005-0202 issue <http://www.list.org/security.html>. In this case,
> someone developed a patch which SuSE pushed out through their
> automatic update process, but the patch was dependent on a part of the
> Python library that SuSE didn't install by default and the dependency
> wasn't noted. This caused a lot of grief at the time. See
> <http://www.google.com/search?hl=en&q=site%3Amail.python.org++inurl%3Amailman-users+suse+sax>.

OK, so that is just one example (ok, I'm sure their might be others). 
HOWEVER, that example smells of BAD TESTING, not a bad solution.  Shame 
on Suse (or whoever).  The problem wasn't a Mailman problem, in fact I 
think Mailman developers (or someone) should be congratulated for 
getting a fix out there rather than sitting on it.  I'm pretty sure that 
the "insiders" fix their systems first, then tell the rest of us about 
the patch, probably at the last minute possible.  I challenge everyone 
on mailman-secure (or whatever list it is) to NOT touch your public 
Mailman systems until you notify mailman-users of the solution to the 
next vulnerability.  Deal?

-Jim P.

More information about the Mailman-Users mailing list