Hi! I already patched our servers yesterday after the mail on full-disclosure about it being hacked. (See http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.) The patch mentioned there is without doing the syslog entry, but in general it does the same.
I just want to share my experiences with the patch: Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb: > There is a critical security flaw in Mailman 2.1.5 and earlier Mailman > 2.1 versions As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable, too. (As the subject of the announcement also suggested.) > which can allow remote attackers to gain access to member passwords > under certain conditions. Not only to member passwords but to any file readable by the user under which the Mailman CGI scripts are running, e.g. /etc/passwd on many systems. > Until Mailman 2.1.6 is released, the longer term fix is to apply > this patch: > > http://www.list.org/CAN-2005-0202.txt Which unfortunately only works with Python 2. Python 1 (respective at least 1.5.2) complains about syntax errors. (Which, in fact, also helps against the vulnerability by displaying the "You've found a Mailman bug" page. ;-) Is there any patch which complies with Python 1 syntax? (Sorry, although I patched some "features" in Mailman once, I'm not the Python guy. :) Kind regards, Axel Beckert -- ------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 ------------------------------------------------------------- ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org