[Mailman-Users] any info on this reported exploit?
jimpop at yahoo.com
Fri Jan 27 11:25:08 CET 2006
Brad Knowles wrote:
> There is a QA process that such patches need to go through, even if
> we're talking about a bug that is being currently being exploited widely.
> In fact, the more it's being exploited, and the more dangerous it
> is, I think the more testing needs to be done to make sure that it's
> caught and completely dealt with, and there aren't any unintended
I guess we just see system administration from different angles, I
prefer communication to silence. Here is the scenario that I'd like to
see for the next "gotcha":
Barry/Tokio/Mark: Folks, yesterday we were informed of a serious (i.e.
potential for data loss) issue with MM 2.1.5+. The "team" will need a
few days to sort through this and to come back with some recommendations
for securing your systems. Secondly, the "team" will try and produce a
patch in 2 weeks time.
Users: Great, glad to hear this Barry. Thank you for your hard
dedicated work. Please keep us informed of what we can do to help.
Barry/Tokio/Mark: It looks like this vulnerability is leveraging a
(unmentioned) py file. Can users please send us logs showing
failed/complete/erroneous attempts to access py files in your systems?
Users: Great, thanks again Barry, glad we can help.
Barry/Tokio/Mark: OK folks, thanks for being patient with us. Here's
what you need to do right now: If you use Apache, add a mod_rewrite
prevent access to xyz.py. Also, chmod abc.py to only allow cgi-user
access (not the normal mailman user), blah, blah, blah... Finally,
please change your site-wide password, and all moderator passwords ASAP.
Users: Great Barry. Thanks again for the speedy assistance.
Barry/Tokio/Mark: Today we are releasing patches for MM 2.1.5, 2.1.6,
and 2.1.7 that admins need to apply to their systems. Note: assuming
you have taken our prior advice there is no need to rush and apply these
patches. Having said that, if you do see entry "blah" in your mailman
mischief log then we recommend that you apply this patch ASAP.
Users: Excellent, Thank you again Barry.
Two, three, or four days latter, after "planned outage" notices are sent
out and tests have been performed on test systems, people can upgrade
their systems with confidence and sanity while working around holidays,
sporting events, vacations, etc.
Somebody please tell me what is wrong with that level of communication
on vulnerability/security issues.
-Jim P. (seeking nirvana)
More information about the Mailman-Users