Re: [Mailman-Users] emergency moderation (v 2.1.5)
Hi Brad, Thanks for your reply. The 'admin_immed_notify' option is turned on for my lists and I went through the troubleshooting recommendations (following which I didn't need to make any adjustments to my mailman configuration). Interestingly this morning at 8 I received notification of postings I had made to two test lists yesterday afternoon that had emergency moderation switched on. So it would seem that all notifications are heeding the 'admin_immed_notify' option except emergency moderation. Weird. David Smith On Wed, 9 Feb 2005, Brad Knowles wrote: At 9:54 AM + 2005-02-09, David W Smith wrote: I've switched on emergency moderation for a few for our mailing lists (using v 2.1.5 on a Debian Woody box) and thought I would receive email notification of any postings held for moderation. But this has turned out not to be the case. You should get notices at the same time as you would get any other moderation notices. So, if you have turned off admin_immed_notify (on the main web admin page for the list, about 2/3 of the way down), you will only get them once a day. Otherwise, something else must be going on. Does anyone know if email notifications should be sent out when emergency moderation is switched on? Yes, see above. I have checked for an option that might enable this but without success; maybe I've overlooked something obvious. I do receive email notifications at other times, e.g., when a non-member has posted to a list or a posting is too large. Hmm. Strange. Have you looked in your logs? The troubleshooting recommendations at http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq03.014.htp won't be completely relevant to your question, but some of them may be useful. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] How to send html emails
Hello All: How do I send html emails? Thank You Ezra Taylor -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] sending mail in attachment on help listname-request
Hi all, there is a way to send a file (a zipped miniguide) whene a subscribed ml's user ask help (or something else at [EMAIL PROTECTED] Regards, Sythos -- Sythos - http://www.sythos.net () ASCII Ribbon Campaign - against html/rtf/vCard in mail /\- against M$ attachments -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions which can allow remote attackers to gain access to member passwords under certain conditions. The extent of the vulnerability depends on what version of Apache you are running, and (possibly) how you have configured your web server. However, the flaw is in Mailman and has been fix in CVS and will be included in the Mailman 2.1.6 release. This issue has been assigned CVE number CAN-2005-0202. We currently believe that Apache 2.0 sites are not vulnerable, and that many if not most Apache 1.3 sites are. In any event, the safest approach is to assume the worst and take the remediation steps indicated below as soon as possible. The quickest fix is to remove the /usr/local/mailman/cgi-bin/private executable. This will disable all access to all private archives on your system. While this is the quickest and easiest way to close the hole, it will also break all your private archives. If all the lists on your site only run public archives, this won't matter to you. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt For additional piece of mind, it is recommended that you regenerate your member passwords. Instructions on how to do this, and more information about this vulnerability are available here: http://www.list.org/security.html My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. This issue was found by Marcus Meissner. -Barry signature.asc Description: This is a digitally signed message part -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
Can this be applied to any 2.1 release? I am running 2.1 at the moment. Thanks. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
* AJ [EMAIL PROTECTED]: Can this be applied to any 2.1 release? I am running 2.1 at the moment. The patch is very small, so I'd think yes. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier
On 2/10/2005 9:41 AM Barry Warsaw wrote: Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt Could an expert please help out a non-expert? I applied this patch to /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched. I'm not sure that this is enough, however, because the private.pyc file wasn't changed, even after I restarted mailman. Should I have patched the private.py file in the source, then gone through the make and make install process? In short, how should this patch be applied? -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
OK, thanks. With no modifications it did not apply, but I can probably get it to work. It shouldn't cause any issues w/ 2.1 should it? Thanks. Quoting Ralf Hildebrandt [EMAIL PROTECTED]: * AJ [EMAIL PROTECTED]: Can this be applied to any 2.1 release? I am running 2.1 at the moment. The patch is very small, so I'd think yes. -- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier
To answer a few recent questions. To the best of my knowledge the patch is safe for any version of mailman that contains the function true_path in private.py. You will not see a new .pyc or .pyo file generated until the script is executed for the first time after the change. In other words until someone logs into a private archive for the first time. If you're really concerned about the old .pyc or .pyo files you can manually remove them. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier
On Thu, 10 Feb 2005, John Swartzentruber wrote:
On 2/10/2005 9:41 AM Barry Warsaw wrote:
Until Mailman 2.1.6 is released, the longer term fix is to apply this
patch:
http://www.list.org/CAN-2005-0202.txt
Could an expert please help out a non-expert? I applied this patch to
/usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched.
I'm not sure that this is enough, however, because the private.pyc file
wasn't changed, even after I restarted mailman. Should I have patched the
private.py file in the source, then gone through the make and make
install process?
Edit $MAILMAN/Mailman/Cgi/private.py (probably wise to save the orig)
Where you see lines in the diff beginning with -, remove those lines,
Where you see lines in the diff beginning with +, add those lines,
Once the edit is complete, stop and restart the qrunner (perhaps its
/etc/init.d/mailman or $MAILMAN/bin/mailmanctl depending on how you're
set up.
The pyc will only get remade when needed and since this only affects lists
with archives, try going to some list of yours with an archive.
The original patch I saw on the net seems to work fine but doesn't log the
hack attempts to the $MAILMAN/logs/mischief file. Here it is:
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
SLASH = '/'
def true_path(path):
Ensure that the path is safe by removing ..
parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
return SLASH.join(parts)[1:]
-
The one from the diffs looks like this:
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
^L
SLASH = '/'
def true_path(path):
Ensure that the path is safe by removing ..
parts = path.split(SLASH)
safe = [x for x in parts if x not in ('.', '..')]
if parts safe:
syslog('mischief', 'Directory traversal attack thwarted')
return SLASH.join(safe)[1:]
--
If I got any of the above wrong, I apology; please lemme know.
We're all in this together
=-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
David SternUniversity of Maryland
Institute for Advanced Computer Studies
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier
On 2/10/2005 11:03 AM [EMAIL PROTECTED] wrote: The pyc will only get remade when needed and since this only affects lists with archives, try going to some list of yours with an archive. Thank you (and to Dan Phillips who replied privately). When I accessed a private archive the .pyc file was remade as you said it would be. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: Critical security update for Mailman 2.1.5
Am I correct in assuming the attack only allows hackers to access (read) files? Yes, I understand that if they can read/get mailman passwords, they can obviously change lists but nothing more nefarious than that? ie not change OS files or mailman sw? And would it be presumptuous of me to think this means only users mailman passwords but not mailman sitepassword can be compromised as the latter is stored encrypted, right? (Ok, they could brute-force the encryption) Same true of list moderator passwords? =-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-= David SternUniversity of Maryland Institute for Advanced Computer Studies -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
On Feb 10, 2005, at 8:17 AM, [EMAIL PROTECTED] wrote: Am I correct in assuming the attack only allows hackers to access (read) files? Yes, I understand that if they can read/get mailman passwords, they can obviously change lists but nothing more nefarious than that? they can not only get the passwords, but your subscriber lists. that is, I think, nefarious enough. it means you're one spambot away from handing over all your users to the blackhats. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] SMTP_MAX_RCPT not working?
Mark Sapiro wrote on Wed, 9 Feb 2005 16:17:28 -0800: Previously you wrote So I set SMTP_MAX_RCPT = 5 in mm_cfg.py. I don't know if SMTP_MAX_RCPT is a typo or if that is literally what you set, but it could be the problem as the actual variable is SMTP_MAX_RCPTS. Little mistake, great influence :-) Yes, it was copied as is from the mm_cfg.py and it found it's way there the same way, but apparently the S got lost somewhere. BTW: searching the FAQ for it shows that it was already suggested some while back to set a default of 5 since using a greater number apparently doesn't have much impact on overhead traffic. Must have been lost again or I am using an old mm_cfg.py. Thanks! Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] security heads up - path traversal with 2.1.5
Brad Knowles wrote on Thu, 10 Feb 2005 02:32:18 +0100: However, I also take Chuq's point that all security announcements to this list, and all related mailman mailing lists hosted on python.org, should be made by Barry or one of the other core developers. This was not a security announcement. And the posting on full-disclosure wasn't really a disclosure. full-disclosure account passwords itself got hacked and this was an alert for the list members about this fact and the cause. It's also on MITRE and got publicized via news sites. It's an *actively exploited* security hole, not a PoC or possible security problem. I really don't see any sense in insisting that informing about it here and pointing to the source makes anyone more unsafe. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier
I'd like to issue a similar plea for assistance. I have Mailman 2.1.3 (default install on Panther Server) If a very basic set of instructions could be prepared, step 1, step 2, step 3.. it would be extremely helpful. On Feb 10, 2005, at 10:34 AM, John Swartzentruber wrote: On 2/10/2005 9:41 AM Barry Warsaw wrote: Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt Could an expert please help out a non-expert? I applied this patch to /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched. I'm not sure that this is enough, however, because the private.pyc file wasn't changed, even after I restarted mailman. Should I have patched the private.py file in the source, then gone through the make and make install process? In short, how should this patch be applied? -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/ rxweb%2B%40pitt.edu NOTE: new email address -- Thomas Waters Director of Information and Communication Services University of Pittsburgh School of Pharmacy 412-383-7471 [EMAIL PROTECTED] http://www.pharmacy.pitt.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] security heads up - path traversal with 2.1.5
If you own a business, and your customers start telling your employees when to take coffee breaks, would that upset you? that's the same issue as when users decide when to make announcements about mailman without consulting Barry. It's Barry's call. A lot of this comes down to the issue of people trying to help. Everyone means well -- but there's a big difference between trying to help and helping. What happened here made things WORSE for the community at large, not better, and caused a fair bit of hassle for the prime developers who had to scramble when what they'd been planning to do got torpedoed. That is NOT HELPING, no matter what the intent. If you want to help, find the people you're trying to help and ask how can I help?. Don't decide for yourself what needs to be done, ask. Because chances are, you're going to get in the way of things already going on and slow it down or mess it up. This whole argument could have been avoided if the original poster, instead of posting it to the list, had emailed Barry and said Hey, Barry, have you heard of this? what's up? -- and Barry would have told him the announcement was coming and life would have been good. 30 seconds of thinking, and asking a simple question. (in fact, that's exactly what I did when I got wind of the problem, and once it was clear Barry was already briefed and working on it, I shut up and stayed out of his way). At about this point in the argument, I usually get accused of pissing off people who want to help and discouraging them from getting involved. This isn't true, but it seems to make people feel better and saves them from admitting they made a (well meaning) mistake. What I'm trying to do is get people to understand that it's not just important to WANT to help and Do Things, but to make sure what you're doing actually makes things better and moves things forward. Otherwise, you're just wasting that energy and time you just spent, and likely wasted time and energy of others as well. there's a right way and a wrong way to help. well meaning doesn't make it right, it makes it well meaning. The right thing to do here is to go to the developers and ask what you can do to help, not just decide you're in charge and you know better than the folks who actually do the work. On Feb 10, 2005, at 8:31 AM, Kai Schaetzl wrote: I really don't see any sense in insisting that informing about it here and pointing to the source makes anyone more unsafe. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Some Posts not getting through - Troubleshooting tips?
I have recently installed mailman, and have currently set up a list with two subscribers to test it out. Mailman is set up and is working fine. However, one of the list members never gets any posts. There are no bounces, no indication that anything has gone wrong. Just no posts. The server/MTA (exim4) that is running mailman can send email directly to the problem email address, and it gets through to the user no problem. It is only when the email comes from the mailman list that it gets silently dropped. The only potentially useful log I can see is the connection timed out lines in the exim4 logs, which are the only thing showing that exim is trying to send the email and it isn't getting through: 2005-02-10 11:28:28 1CzGvq-00060p-VL == [EMAIL PROTECTED] R=dnslookup T=remote_smtp defer (110): Connection timed out 2005-02-10 11:28:36 1CzH58-00061V-DZ mailserver.example.org [0.0.0.0]: Connection timed out (email address, mailserver and ip changed in above) There are no bounces or other errors in the mailman logs. I am guessing that my list is being caught in a spam filter; it sounds like this entry from the FAQ; http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq03.042.htp. However, given that regular emails are getting through, and given that mailman is running on a recently set up domain/ip address which has never done anything to hurt anyone before, this seems unlikely. Any other thoughts on how to figure out what exactly is happening to these posts? Mailman 2.1.5 Exim4 running on Debian Testing, installed via apt-get (mailman_2.1.5-5_i386.deb) B. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: www.python.org FAQ and Announce Only List
Hello all, I'm in a bit of a perdicament. I need to setup two Mailman lists today and they need to be announce-only. This in and of itself isnt a problem. I searched the archives and found a lot of references to an FAQ article that explains the procedure. Herein lay the problem -- I cannot seem to go to www.python.org. I've tried for about a half hour now and it seems to be down. Is there a mirror of the Mailman FAQ anywhere so I can get started on setting these lists up? Thanks, Brad -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] error importing archive
On 09/02/05 Mark Sapiro did say: The 313th article in the mbox file (starting with 0) has invalid base64 encoding. Well, I couldn't find anything wrong with the article in question. So, I patched the code in Util.py to catch the exception and return the null string. Seems to have permitted the archives to be imported ok, while those messages affected would presumably be blank. Simply crashing like this is bad behaviour, IMHO. If I didn't know python I'd have no idea how to fix the problem, or even where the problem was. Mike -- Michael P. Soulier [EMAIL PROTECTED], 613-592-2122 x2522 6000/6010/60* Development, Mitel Corporation ...the word HACK is used as a verb to indicate a massive amount of nerd-like effort. -Harley Hahn, A Student's Guide to Unix -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: www.python.org FAQ and Announce Only List
At 2:17 PM -0500 2005-02-10, Brad Stockdale wrote: I'm in a bit of a perdicament. I need to setup two Mailman lists today and they need to be announce-only. This in and of itself isnt a problem. I searched the archives and found a lot of references to an FAQ article that explains the procedure. Herein lay the problem -- I cannot seem to go to www.python.org. I've tried for about a half hour now and it seems to be down. I just discovered a few minutes ago that the server appears to be down, and I have not been able to get in contact with Barry or anyone else to tell me what's going on with it. As soon as I have more information, I will post it here. Is there a mirror of the Mailman FAQ anywhere so I can get started on setting these lists up? For the FAQ Wizard, I am not aware of any mirror. The list.org site is mirrored in a couple of places, but not the FAQ Wizard. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier
Hi! I already patched our servers yesterday after the mail on full-disclosure about it being hacked. (See http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.) The patch mentioned there is without doing the syslog entry, but in general it does the same. I just want to share my experiences with the patch: Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb: There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable, too. (As the subject of the announcement also suggested.) which can allow remote attackers to gain access to member passwords under certain conditions. Not only to member passwords but to any file readable by the user under which the Mailman CGI scripts are running, e.g. /etc/passwd on many systems. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt Which unfortunately only works with Python 2. Python 1 (respective at least 1.5.2) complains about syntax errors. (Which, in fact, also helps against the vulnerability by displaying the You've found a Mailman bug page. ;-) Is there any patch which complies with Python 1 syntax? (Sorry, although I patched some features in Mailman once, I'm not the Python guy. :) Kind regards, Axel Beckert -- - Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW:http://www.ecos.de/ Fax: +49 6133 939-333 - -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] welcome message
Hello I have mailman 2.1.5 One of my lists is moderated. Only a few people can post. When someone new is subscribed they receive an automatic welcome message. Within the text of that message is the list posting address. Since most are not allowed to post I'd like to remove this address from the welcome message. Larry -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: www.python.org FAQ and Announce Only List
At 8:30 PM +0100 2005-02-10, Brad Knowles wrote: I just discovered a few minutes ago that the server appears to be down, and I have not been able to get in contact with Barry or anyone else to tell me what's going on with it. As soon as I have more information, I will post it here. I just found out that the facility where the machine is located is having a minor power problem, and they are working on restoring it as quickly as possible. However, I have not yet heard any estimated time to repair. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: www.python.org FAQ and Announce Only List
At 11:10 PM +0100 2005-02-10, Brad Knowles wrote: I just found out that the facility where the machine is located is having a minor power problem, and they are working on restoring it as quickly as possible. However, I have not yet heard any estimated time to repair. Apparently the problem is a more severe than first thought. Some machines in the facility have power, some don't. It may take a while to sort everything out, but we do not yet know exactly how long. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Re: www.python.org FAQ and Announce Only List
At 11:19 PM +0100 2005-02-10, Brad Knowles wrote: Apparently the problem is a more severe than first thought. Some machines in the facility have power, some don't. It may take a while to sort everything out, but we do not yet know exactly how long. In the meanwhile, the web administration folks have temporarily moved www.python.org to point to a different machine, which includes a list of all known mirror sites. Hopefully this will help people find the information they need. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] CREN ListProc to Mailman conversion?
Before I start writing one of my own, I'm wondering if anyone here has tucked away unreleased in their home directory a script they made to convert the list configs under ListProc to Mailman-style configs? Any help or pointers would be appreciated. I have about 1600 ListProc lists I'm going to need to convert in the coming weeks. /dale -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier
Hi,
As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
too. (As the subject of the announcement also suggested.)
Which unfortunately only works with Python 2.
Python 1 (respective at least 1.5.2) complains about syntax
errors. (Which, in fact, also helps against the vulnerability by
displaying the You've found a Mailman bug page. ;-)
Change the true_path function as:
def true_path(path):
Ensure that the path is safe by removing ..
import re
path = re.sub('\.+/+', '', path)
return path[1:]
and try. Sorry but I have no 2.0.x around but only found a machine which
have working Python 1.x installed.
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
How can we test that the patch is working? Is there a way to cause the log message to be written to the mischief log? Just want to make sure the patch is working, any help would be great. Thanks. On Feb 10, 2005, at 8:17 AM, [EMAIL PROTECTED] wrote: Am I correct in assuming the attack only allows hackers to access (read) files? Yes, I understand that if they can read/get mailman passwords, they can obviously change lists but nothing more nefarious than that? they can not only get the passwords, but your subscriber lists. that is, I think, nefarious enough. it means you're one spambot away from handing over all your users to the blackhats. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5
AJ wrote: How can we test that the patch is working? Is there a way to cause the log message to be written to the mischief log? Just want to make sure the patch is working, any help would be great. Principally, add /../ in your browser's url box after authenticate yourself for the private archive page: http://your.host/mailman/private/yourlist/../ But my browser is clever enough to strip this to http://your.host/mailman/private/ :- Note that this is not an exploit. You will find other malicious attempts in logs/error. -- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
