Hi!
I already patched our servers yesterday after the mail on
full-disclosure about it being hacked. (See
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.)
The patch mentioned there is without doing the syslog entry, but in
general it does the same.
I just want to share my experiences with the patch:
Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
> 2.1 versions
As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
too. (As the subject of the announcement also suggested.)
> which can allow remote attackers to gain access to member passwords
> under certain conditions.
Not only to member passwords but to any file readable by the user
under which the Mailman CGI scripts are running, e.g. /etc/passwd on
many systems.
> Until Mailman 2.1.6 is released, the longer term fix is to apply
> this patch:
>
> http://www.list.org/CAN-2005-0202.txt
Which unfortunately only works with Python 2.
Python 1 (respective at least 1.5.2) complains about syntax
errors. (Which, in fact, also helps against the vulnerability by
displaying the "You've found a Mailman bug" page. ;-)
Is there any patch which complies with Python 1 syntax? (Sorry,
although I patched some "features" in Mailman once, I'm not the
Python guy. :)
Kind regards, Axel Beckert
--
-
Axel Beckert ecos electronic communication services gmbh
it security solutions * web applications with apache and perl
Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220
WWW:http://www.ecos.de/ Fax: +49 6133 939-333
-
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org