Brad Knowles wrote: > > There is a QA process that such patches need to go through, even if > we're talking about a bug that is being currently being exploited widely. > > In fact, the more it's being exploited, and the more dangerous it > is, I think the more testing needs to be done to make sure that it's > caught and completely dealt with, and there aren't any unintended > consequences.
I guess we just see system administration from different angles, I prefer communication to silence. Here is the scenario that I'd like to see for the next "gotcha": Barry/Tokio/Mark: Folks, yesterday we were informed of a serious (i.e. potential for data loss) issue with MM 2.1.5+. The "team" will need a few days to sort through this and to come back with some recommendations for securing your systems. Secondly, the "team" will try and produce a patch in 2 weeks time. Users: Great, glad to hear this Barry. Thank you for your hard dedicated work. Please keep us informed of what we can do to help. day+=2: Barry/Tokio/Mark: It looks like this vulnerability is leveraging a (unmentioned) py file. Can users please send us logs showing failed/complete/erroneous attempts to access py files in your systems? Users: Great, thanks again Barry, glad we can help. day++: Barry/Tokio/Mark: OK folks, thanks for being patient with us. Here's what you need to do right now: If you use Apache, add a mod_rewrite entry to prevent access to xyz.py. Also, chmod abc.py to only allow cgi-user access (not the normal mailman user), blah, blah, blah... Finally, please change your site-wide password, and all moderator passwords ASAP. Users: Great Barry. Thanks again for the speedy assistance. day+=10 Barry/Tokio/Mark: Today we are releasing patches for MM 2.1.5, 2.1.6, and 2.1.7 that admins need to apply to their systems. Note: assuming you have taken our prior advice there is no need to rush and apply these patches. Having said that, if you do see entry "blah" in your mailman mischief log then we recommend that you apply this patch ASAP. Users: Excellent, Thank you again Barry. Two, three, or four days latter, after "planned outage" notices are sent out and tests have been performed on test systems, people can upgrade their systems with confidence and sanity while working around holidays, sporting events, vacations, etc. Somebody please tell me what is wrong with that level of communication on vulnerability/security issues. -Jim P. (seeking nirvana) ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp