Well, as long as the cat is out of the bag, here is some info that might be helpful to folks. I was told the security alert was made public this afternoon so not much is being compromised by helping folks address the issue given its new found visibility :-( Red Hat has patched all of its Mailman rpm's which are in the process of getting pushed out through our distribution channels. Here are the package versions for each distribution:
AS2.1: mailman-2.0.13-7 FC2: mailman-2.1.5-8.fc2 FC3: mailman-2.1.5-30.fc3 FC4: mailman-2.1.5-30.fc4 RHEL3: mailman-2.1.5-24.rhel3 RHEL4: not yet released. The good news is that the exploit is only possible when mailman is combined with a version of the Apache Web server (httpd) less than version 2.0 (e.g. 1.3) I am not going describe in this forum how the exploit occurs for obvious reasons. It has been reproduced on a number of systems. It is a serious exploit that can give attackers access to most of the file system. If you are running Apache < 2.0 you will want to patch your mailman code -OR- upgrade to Apache >= 2.0. If you are running Apache >= 2.0 breath a sigh of relief, you are not vulnerable. BTW, I do not believe this is limited to mailman 2.1.5, it is present in earlier mailman versions (or at least from code inspection it seems to be) Here are two proposed fixes, either should work: The implementation of the function true_path in Mailman/Cgi/private.py needs to be changed: import re def true_path(path): "Ensure that the path is safe by removing .." path = re.sub('\.+/+', '', path) return path[1:] -OR- SLASH = '/' def true_path4(path): "Ensure that the path is safe by removing .." parts = [x for x in path.split(SLASH) if x not in ('.', '..')] return SLASH.join(parts)[1:] -- John Dennis <[EMAIL PROTECTED]> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org