[Mailman-Users] any info on this reported exploit?
Jim Popovitch
jimpop at yahoo.com
Fri Jan 27 07:00:51 CET 2006
Mark Sapiro wrote:
> Jim Popovitch wrote:
>> OK, but what about the next one? What do Mailman system admins do, wait?
>
> Yes, I think so. The alternative is everyone goes off half-cocked and
> you have a situation such as occurred about a year ago with the
> CAN-2005-0202 issue <http://www.list.org/security.html>. In this case,
> someone developed a patch which SuSE pushed out through their
> automatic update process, but the patch was dependent on a part of the
> Python library that SuSE didn't install by default and the dependency
> wasn't noted. This caused a lot of grief at the time. See
> <http://www.google.com/search?hl=en&q=site%3Amail.python.org++inurl%3Amailman-users+suse+sax>.
OK, so that is just one example (ok, I'm sure their might be others).
HOWEVER, that example smells of BAD TESTING, not a bad solution. Shame
on Suse (or whoever). The problem wasn't a Mailman problem, in fact I
think Mailman developers (or someone) should be congratulated for
getting a fix out there rather than sitting on it. I'm pretty sure that
the "insiders" fix their systems first, then tell the rest of us about
the patch, probably at the last minute possible. I challenge everyone
on mailman-secure (or whatever list it is) to NOT touch your public
Mailman systems until you notify mailman-users of the solution to the
next vulnerability. Deal?
-Jim P.
More information about the Mailman-Users
mailing list