[Mailman-Users] any info on this reported exploit?

Brad Knowles brad at stop.mail-abuse.org
Fri Jan 27 10:52:22 CET 2006

At 1:00 AM -0500 2006-01-27, Jim Popovitch wrote:

>                                              I'm pretty sure that the
>  "insiders" fix their systems first, then tell the rest of us about the
>  patch, probably at the last minute possible.

	The "insiders" here are people like Barry, Tokio, and Mark.  I 
can't speak for what they do on their personal systems, but my 
recollection is that python.org wasn't updated until the patch was 
publicly available.  And even I don't have access to their internal 
discussions regarding such matters.

	So, you're no worse off than I am.

>                                                I challenge everyone on
>  mailman-secure (or whatever list it is) to NOT touch your public
>  Mailman systems until you notify mailman-users of the solution to the
>  next vulnerability.  Deal?

	They do have to do their development somewhere, right?  I mean, 
you give them that much, I hope.  And they do need to do at least 
some minimal testing on a live production system before they release 
that to the public, right?  I mean, you wouldn't want to try using 
something that had never been tested anywhere, would you?

	There is a QA process that such patches need to go through, even 
if we're talking about a bug that is being currently being exploited 

	In fact, the more it's being exploited, and the more dangerous it 
is, I think the more testing needs to be done to make sure that it's 
caught and completely dealt with, and there aren't any unintended 

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list