[Mailman-Users] any info on this reported exploit?

Jim Popovitch jimpop at yahoo.com
Mon Jan 30 04:11:06 CET 2006 

Stephen J. Turnbull wrote:
>>>>>> "Jim" == Jim Popovitch <jimpop at yahoo.com> writes:
> 
> Jim> She was asking a very important question about something that 
> Jim> was already public.
> 
> What important question?

I quote Diana from her original email that sparked this thread:

  "The notice suggests all versions are vulnerable, is this
  the case? If so, suggested workaround? Patch/upgrade coming?"

> It's an easy to execute exploit (in fact, it occasionally happens due
>  to ordinary mail, that's why it was found and fixed before anybody 
> asked about the DoS aspect) of very low interest to black hats and 
> small threat to a well-run site in most cases. IIRC, it's been 
> discussed on the list (though not as a security threat).
> 
> The only interesting thing that happened was that somebody 
> sensationalized that problem by labelling it a potential DoS attack. 
> That doesn't make it important, except to Diana and others following 
> that channel.  Anybody who hadn't noticed would never notice.
> 
> So what is the scenario if Diana posts to mailman-security?  She gets
>  an answer and nobody ever notices.

... and nobody else ever hears of the issue either.  Why is this?  It is 
Because it appears that the current Mailman policy is to suppress
not just information, but also questions, about situations like this.

> And if three people ask on mailman-security?  There's a short post to
>  mailman-users, and it ends up in the faq, because it's a PITA for 
> the developers to keep answering it.
> 
> What's wrong with that?

Nothing, assuming:

    A) Makes it into the FAQ in a timely fashion for it to benefit site
admins
    B) There is some means to notify site admins so that they don't
have to parse through mailman-users to get info on security issues.
I've been subscribed to mailman-announce for 5+ years.  I don't
recall ever seeing anything such as: "FAQ XYZ has been updated", let
alone info on potential vulnerabilities that I should be aware of.

> Jim> Are you suggesting that all "Hey, has this been fixed yet" Jim>
>  questions should be off list and only one-on-one with Jim> 
> mailman-security?
> 
> No, only for those defects that are not going to affect users unless 
> deliberately exploited.  For such security "holes", yes, "discuss 
> only with mailman-security" is announced policy.

And that is good.  Diana's case doesn't seem to meet that measure, yet
that is the advice Brad gave her.  Was that an attempt to suppress this
info from other site admins?

> Jim> er, Right.... (the elitism really shines through Brad).
> 
> Please watch your language.  "Elitism" means restricting something to
>  a select group because of their personal qualifications.

Possibly, in a narrowly defined sense.  I meant it as the rest of the
world uses it: http://www.answers.com/elitism

BTW, just who are the members of mailman-security?

> The security policy, and everything Brad has posted on the matter, 
> says discussion about potential exploits should be restricted to 
> those with "need to know", which is defined as "the ability to fix 
> the problem and/or the authority to distribute 'official' fixes." 
> This is a functional, not a personal, qualification.

And how does that apply to Diana's question?  Clearly she was inquiring
about a fixed issue, right?  If not, shouldn't the answer given to her
also be seen by others in similar situations?

> You're welcome to advocate a different definition of need-to-know, 
> one which includes large numbers of users who cannot contribute code
>  or distribute fixes, but the restrictive one above the one in common
>  use in the developer community.  To my knowledge nobody (in the open
>  source community) likes the implications for information 
> dissemination.

Well it seems to there are two extremes in the Mailman group of
interested folks.  Those that want to know everything, but don't want
anyone else to know it.  And those that are expected to not know
anything until Barry/Tokio/Mark/ etc., tell them to know it.  I just
think there is room for some middle ground.

There is more to Mailman than just users and developers.  There are
those that are responsible for Mailman systems but they aren't the
day-to-day admins of the mailing lists.  I think it is totally
irresponsible to expect that site admins find out on their own if there
are insecurities in the sites they run.  If I am running a Mailman 2.1.6
site, I expect to be informed of vulnerabilities and security concerns
sometime before 2.1.7 is fully released, not just have to read it in the
CHANGES file of 2.1.7.

-Jim P.

More information about the Mailman-Users mailing list