Hi!

I already patched our servers yesterday after the mail on
full-disclosure about it being hacked. (See
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.)
The patch mentioned there is without doing the syslog entry, but in
general it does the same.

I just want to share my experiences with the patch:

Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
> 2.1 versions

As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
too. (As the subject of the announcement also suggested.)

> which can allow remote attackers to gain access to member passwords
> under certain conditions.

Not only to member passwords but to any file readable by the user
under which the Mailman CGI scripts are running, e.g. /etc/passwd on
many systems.

> Until Mailman 2.1.6 is released, the longer term fix is to apply
> this patch:
> 
>       http://www.list.org/CAN-2005-0202.txt

Which unfortunately only works with Python 2. 

Python 1 (respective at least 1.5.2) complains about syntax
errors. (Which, in fact, also helps against the vulnerability by
displaying the "You've found a Mailman bug" page. ;-)

Is there any patch which complies with Python 1 syntax? (Sorry,
although I patched some "features" in Mailman once, I'm not the
Python guy. :) 

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
it security solutions * web applications with apache and perl

Mail:       Tulpenstrasse 5       D-55276 Dienheim near Mainz
E-Mail:     [EMAIL PROTECTED]       Voice:     +49 6133 939-220
WWW:        http://www.ecos.de/   Fax:       +49 6133 939-333
-------------------------------------------------------------

------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to