[Mailman-Users] any info on this reported exploit?

Jim Popovitch jimpop at yahoo.com
Fri Jan 27 11:25:08 CET 2006 

Brad Knowles wrote:
> 
>     There is a QA process that such patches need to go through, even if 
> we're talking about a bug that is being currently being exploited widely.
> 
>     In fact, the more it's being exploited, and the more dangerous it 
> is, I think the more testing needs to be done to make sure that it's 
> caught and completely dealt with, and there aren't any unintended 
> consequences.

I guess we just see system administration from different angles, I 
prefer communication to silence.  Here is the scenario that I'd like to 
see for the next "gotcha":

Barry/Tokio/Mark:  Folks, yesterday we were informed of a serious (i.e. 
potential for data loss) issue with MM 2.1.5+.  The "team" will need a 
few days to sort through this and to come back with some recommendations 
for securing your systems.  Secondly, the "team" will try and produce a 
patch in 2 weeks time.

Users:  Great, glad to hear this Barry.  Thank you for your hard 
dedicated work.  Please keep us informed of what we can do to help.

day+=2:

Barry/Tokio/Mark:  It looks like this vulnerability is leveraging a 
(unmentioned) py file.  Can users please send us logs showing 
failed/complete/erroneous attempts to access py files in your systems?

Users:  Great, thanks again Barry, glad we can help.

day++:

Barry/Tokio/Mark:  OK folks, thanks for being patient with us.  Here's 
what you need to do right now:  If you use Apache, add a mod_rewrite 
entry to
prevent access to xyz.py.  Also, chmod abc.py to only allow cgi-user 
access (not the normal mailman user), blah, blah, blah...  Finally, 
please change your site-wide password, and all moderator passwords ASAP.

Users:  Great Barry.  Thanks again for the speedy assistance.

day+=10

Barry/Tokio/Mark:  Today we are releasing patches for MM 2.1.5, 2.1.6, 
and 2.1.7 that admins need to apply to their systems.  Note: assuming 
you have taken our prior advice there is no need to rush and apply these 
patches.  Having said that, if you do see entry "blah" in your mailman 
mischief log then we recommend that you apply this patch ASAP.

Users:  Excellent, Thank you again Barry.

Two, three, or four days latter, after "planned outage" notices are sent 
out and tests have been performed on test systems, people can upgrade 
their systems with confidence and sanity while working around holidays, 
sporting events, vacations, etc.

Somebody please tell me what is wrong with that level of communication 
on vulnerability/security issues.

-Jim P.  (seeking nirvana)

More information about the Mailman-Users mailing list