sanjay jangam writes:
> Can you elaborate on the security features of Mailman and how it
> ensures a safe environment for email discussions?
No. The question is poorly posed. You need to say against what
threats you want to protect your discussions.
I can say this much: Mailman 3 does try
Can you elaborate on the security features of Mailman and how it ensures a
safe environment for email discussions?
Regards,
Sanjay Jangam
www.sanjayjangam.com
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an
On 03/27/2015 02:42 PM, Mark Sapiro wrote:
A security vulnerability in Mailman has been found and fixed. It has
been assigned CVE-2015-2775. The details of this vulnerability and fix
will be announced next Tuesday, 31 March 2015, at which time both a
patch for this specific vulnerability and
On Sat, 28 Mar 2015 13:24:25 +0100
Roland Miyamoto roland.miyam...@gmx.net wrote:
Hello Roland,
I am running Mailman 2.1.15 under Debian 7.
Will the fix be included in the usual repository updates?
I can't speak as an authority on either Mailman of Debian, only as a
user, but security updates
On 03/28/2015 05:24 AM, Roland Miyamoto wrote:
Thank you, Mark,
For this anouncement.
Does the vulnerabilitiy also affect older Mailman releases, like
2.1.15, e.g.?
Yes, but the actual number of sites that are vulnerable is probably
small. More information will be available on Tuesday, but
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thank you, Mark,
For this anouncement.
Does the vulnerabilitiy also affect older Mailman releases, like
2.1.15, e.g.?
If so, how do I make sure to incorporate the fix soon after next
Tuesday, when the world will learn about the details?
I am running
A security vulnerability in Mailman has been found and fixed. It has
been assigned CVE-2015-2775. The details of this vulnerability and fix
will be announced next Tuesday, 31 March 2015, at which time both a
patch for this specific vulnerability and Mailman 2.1.20 will be released.
In addition to
James Riendeau wrote:
I need to run bin/add_member in our Mailman 2.1.11 list server
installation from a cgi/perl script. Normally, it has to run as
root. The easy solution was to add the www user to the mailman
group. You can then:
open(LISTSERVER, '|/usr/local/mailman/bin/add_members
I need to run bin/add_member in our Mailman 2.1.11 list server
installation from a cgi/perl script. Normally, it has to run as
root. The easy solution was to add the www user to the mailman
group. You can then:
open(LISTSERVER, '|/usr/local/mailman/bin/add_members -r- '.$list_name);
Greetings everyone,
First, I do not wish to trigger another round of flames, as we had here
yesterday WRT this topic.
Second, and by coincidence from my perspective, the Open Office team just
issued a post that some here might find informative WRT this topic.
Third, I am not a developer. I
]; Brad Knowles [EMAIL PROTECTED]; Gail
[EMAIL PROTECTED]; mailman-users@python.org
Sent: Tuesday, 12 September, 2006 2:17:02 AM
Subject: Re: [Mailman-Users] Security / AOL
At 9:15 PM + 2006-09-11, Jon Loose wrote:
Brad - apologies for not getting the point from the FAQ first.
Sorry
I wish I only had 5 to 10 with AOL, I've got over 1000 and all write
complaining when their mail doesn't arrive!
I've only a couple dozen on 7 Lists and they SCREAM, Gail!! -:)
AOL = PITA
Ed
--
Mailman-Users mailing list
At 8:52 AM -0400 2006-09-11, Gail wrote:
My experience with AOL, unrelated to Mailman, maybe of more help. Almost
without exception is all part of AOL's misguided attempts to block SPAM.
Correct. Why is why I wrote FAQ 3.42. I should know, since I was
the first Internet mail operations
From: Brad Knowles [EMAIL PROTECTED]
To: Gail [EMAIL PROTECTED]; mailman-users@python.org
Sent: Monday, 11 September, 2006 6:20:43 PM
Subject: Re: [Mailman-Users] Security / AOL
At 8:52 AM -0400 2006-09-11, Gail wrote:
My experience with AOL, unrelated to Mailman, maybe of more help. Almost
At 9:15 PM + 2006-09-11, Jon Loose wrote:
Brad - apologies for not getting the point from the FAQ first.
Sorry, that's a pet peeve of mine. ;)
Thanks for being willing to repeat yourself anyway. I'm going to advise
folks to register for a different address. Very interesting to see
Hi,
First of all - thanks to those who pointed me to help for setting up mailman to
run under https. This now works fine. Some may be interested to know that for
reasons of security I also disabled monthly password reminders and also
password reminders being sent out through the user's
At 6:01 PM + 2006-09-10, Jon Loose wrote:
Second - I have found problems with invites to AOL addresses. Is this a
common issue? If so, I'd be interested to know what the issue is, and
if anything can be done (apart from obviously encouraging people to
dump AOL!).
What problems? Can
I am a brand new user of Mailman and in the process of building a
replacement for one that is running out of space. I am struggling with
security. I know there are processes like ftp and telnet which I should
shutdown but how do I do this. Any information I have found online
confuses me or
Jewel wrote:
I simply want
to know how can I see that services running, how to shut them down, and
secure the server. I am running Knoppix 4.0.2 and Mailman 2.1.7.
If Mailman is normally installed, there is a 'mailmanctl' in its bin/
directory, and Mailman is shut down with 'bin/mailmanctl
Hi again,
I tried applying the security patch for 2.1.5 which is listed
on the website - but got a number of errors - can anyone outline the
procedure for implementing the patch please, whether it's by running
the patch or replacing lines of code within certain files - any
assistance would be
At 8:09 PM +1100 2005-03-22, Terry Allen wrote:
I tried applying the security patch for 2.1.5 which is listed on the
website - but got a number of errors - can anyone outline the procedure
for implementing the patch please, whether it's by running the patch
or replacing lines of code
At 8:09 PM +1100 2005-03-22, Terry Allen wrote:
I tried applying the security patch for 2.1.5 which is listed on the
website - but got a number of errors - can anyone outline the procedure
for implementing the patch please, whether it's by running the patch
or replacing lines of code
Terry Allen wrote:
I should have outlined that I had already tried
running patch on that .txt file - here's the problem I am getting:
[server:mailman/mailman/cgi] root# patch CAN-2005-0202.txt
patching file private.py
Reversed (or previously applied) patch detected! Assume -R? [n] n
Apply
At 7:37 AM +1100 2005-03-23, Terry Allen wrote:
The output into the .rej file has only the comments at the start
of private.py - I ran the patch 3 times but on the second time I
answered Y on the reverse apply question, then the 3rd time, it
ran without error. does this indicate to you
On Tue, 2005-03-22 at 22:28 +0100, Brad Knowles wrote:
At 7:37 AM +1100 2005-03-23, Terry Allen wrote:
The output into the .rej file has only the comments at the start
of private.py - I ran the patch 3 times but on the second time I
answered Y on the reverse apply question, then the
Hey folks. I haven't see an official post here yet but as this has already
gone out on at least one full-disclosure list I thought it worth mentioning
since this will be an actively exploited 0 day:
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
Basically, there
For whatever its worth, it is a daily concern to me that there are common
enemies out there that have far more time to keep up on exploits in
certain areas than I do.
I rely on this list for Mailman info. Before this afternoon, I was
unaware my server, with over 400 lists and tens of
Hi,
Barry Warsaw wrote:
On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote:
I've tested with my 1.3.29 installation and verified apache PATH_INFO
does convert '//' to '/'. Barry also wanted to clarify which apache
version/installation (combination with mailman) is valnerable. Return
code
* Chuq Von Rospach:
my position is simple (and unchanged): if it's not your project, don't
make strategic decisions about it.
Unfortunately, the crackers that began to attack Mailman sites in
January didn't respect your wishes.
Who has a say in the disclosure of a security bug? The person
At 1:24 PM +0100 2005-02-14, Florian Weimer wrote:
Who has a say in the disclosure of a security bug?
In terms of who can post such things to this list? Well, as one
of the core developers for Mailman, Chuq is one of the very few
people who can have an absolute say in that.
You're trying to
* Brad Knowles:
At 1:24 PM +0100 2005-02-14, Florian Weimer wrote:
Who has a say in the disclosure of a security bug?
In terms of who can post such things to this list? Well, as one
of the core developers for Mailman, Chuq is one of the very few
people who can have an absolute
At 2:09 PM +0100 2005-02-14, Florian Weimer wrote:
The underlying assumption seems to be that Mailman security bugs can
only be disclosed by posting them on the Mailman lists.
We have no more control over what you say or do on other lists
than any other developer. Yes, if there is a security
At 2:09 PM +0100 2005-02-14, Florian Weimer wrote:
The underlying assumption seems to be that Mailman security bugs can
only be disclosed by posting them on the Mailman lists.
In response to this issue, FAQ 1.27 has been updated, and the
mailman-users and mailman-developers mailing lists have
On Feb 14, 2005, at 4:24 AM, Florian Weimer wrote:
You're trying to establish something like ownership of security bugs.
No, I'm trying to get the people on this list to follow the STANDARD
PROTOCOL that exists for disclosure of this data, actually. Which if
people actually paid attention to
--On February 14, 2005 07:40:29 -0800 Chuq Von Rospach
[EMAIL PROTECTED] wrote:
Again.
So excuse me if I'm grumpy. I think I'm entitled. Not as much as Barry
is, but he's far too polite to try to get people to behave. that's my job
around here.
Good on you. I was mightily pissed off when that
great just what we need 20 lines of .signature .
On Mon, 14 Feb 2005, Brad Knowles wrote:
In response to this issue, FAQ 1.27 has been updated, and the
mailman-users and mailman-developers mailing lists have likewise been
modified to include suitable text at the bottom of every
On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote:
I've tested with my 1.3.29 installation and verified apache PATH_INFO
does convert '//' to '/'. Barry also wanted to clarify which apache
version/installation (combination with mailman) is valnerable. Return
code of 200 doesn't mean
On Mon, 2005-02-14 at 10:23, Brad Knowles wrote:
In response to this issue, FAQ 1.27 has been updated
Wow Brad, I was just about to change this to read
[EMAIL PROTECTED] but you beat me to it by seconds. :)
, and the
mailman-users and mailman-developers mailing lists have likewise
At 5:12 PM -0500 2005-02-14, Barry Warsaw wrote:
In response to this issue, FAQ 1.27 has been updated
Wow Brad, I was just about to change this to read
[EMAIL PROTECTED] but you beat me to it by seconds. :)
Mark had clued me in that someone had changed the
security-related pages at
Chuq Von Rospach wrote on Thu, 10 Feb 2005 08:48:23 -0800:
If you own a business, and your customers start telling your employees
when to take coffee breaks, would that upset you?
What's that got to do with Mailman or this list?
that's the same issue as when users decide when to make
One last comment. I had not followed the list for quite a few weeks or
longer, had a problem and opened the folder to see if it was mentioned in
any of the latest postings. One of the first I came across, reading from
behind, was this thread. Chuq's reply sounded quite rude to me at that
time,
At 1:31 PM +0100 2005-02-11, Kai Schaetzl wrote:
that's the same issue as when users decide when to make announcements
about mailman without consulting Barry.
All of what you are saying is based on false presumptions. There was no
announcement, this list is not an office owned by Barry and
Brad Knowles wrote on Thu, 10 Feb 2005 02:32:18 +0100:
However, I also take Chuq's point that all security announcements
to this list, and all related mailman mailing lists hosted on
python.org, should be made by Barry or one of the other core
developers.
This was not a security
If you own a business, and your customers start telling your employees
when to take coffee breaks, would that upset you?
that's the same issue as when users decide when to make announcements
about mailman without consulting Barry. It's Barry's call.
A lot of this comes down to the issue of
At 11:19 AM -0800 2005-02-09, Ron Brogden wrote:
Hey folks. I haven't see an official post here yet but as this has already
gone out on at least one full-disclosure list I thought it worth mentioning
since this will be an actively exploited 0 day:
On February 9, 2005 11:52, Brad Knowles wrote:
Generally speaking, notices of security issues should be dealt
with according to the instructions at
http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp.
Hello Brad. I was under the impression that the Mailman team already knew
If Barry didn't know about it, disclosing it without his approval was
wrong.
if barry DID know, and hadn't done the disclosure himself, doing it
without his approval was wrong, because Barry likely had a reason why
he hadn't mentioned it yet.
Either way, something like this should have been
Hi,
Ron Brogden wrote:
Hey folks. I haven't see an official post here yet but as this has already
gone out on at least one full-disclosure list I thought it worth mentioning
since this will be an actively exploited 0 day:
Well, as long as the cat is out of the bag, here is some info that might be
helpful to folks. I was told the security alert was made public this
afternoon so not much is being compromised by helping folks address the
issue given its new found visibility :-( Red Hat has patched all of its
Mailman
Chuq Von Rospach wrote on Wed, 9 Feb 2005 12:47:34 -0800:
Either way, something like this should have been left to the project
developers (i.e. barry) to disclose.
Correct. But it's out and it's not Ron to blame, so I don't see a reason
for slapping Ron for posting it finally to the list.
At 12:31 AM +0100 2005-02-10, Kai Schaetzl wrote:
Either way, something like this should have been left to the project
developers (i.e. barry) to disclose.
Correct. But it's out and it's not Ron to blame, so I don't see a reason
for slapping Ron for posting it finally to the list.
There are
However, I also take Chuq's point that all security announcements to
this list, and all related mailman mailing lists hosted on python.org,
should be made by Barry or one of the other core developers. Even if
the information has been publicly released elsewhere, it is not
appropriate to post
At 10:15 PM -0800 2005-02-09, Chuq Von Rospach wrote:
my position is simple (and unchanged): if it's not your project, don't
make strategic decisions about it. it was barry's call. Barry and Toiko
were working the issue and trying to get things ready. By having it
prematurely disclosed to a
Howdy,
I have 2 mailman lists
http://mossbaydiveclub.org/mailman/listinfo
http://snapnshoot.org/mailman/listinfo
and have been trying to send out and receive. My ISP did some upgrades for
the new security leaks and I'm thinking it might be an issue for mailman.
They say everything is working
On Jan 10, 2005, at 02:18, fpoole-dive wrote:
Their response: just say that the server php/mysql/exim was upgraded
for
security reasons and that it might make mailman not work correctly for
mailman hasn't been redone yet by the makers.
Mailman doesn't use PHP or MySQL, and works great with Exim
Hi.
I'm setting up an announcement only list on mailman 2.1: Only one email
address announcing to an audience of several who receive messages.
Everything is working great, but there seems to be a glaring security
hole: Somebody can fake the From: in the email and post to the entire
list. The
At 3:55 PM -0700 2004-09-02, Jeff Pflueger wrote:
Everything is working great, but there seems to be a glaring security
hole: Somebody can fake the From: in the email and post to the entire
list.
Yup.
The best way around this (available in the Listserv software)
is an email
Text in dutch:
Dringend probleem met Mailman
Zit met een groot en vooral dringend probleem:
Ik heb meerdere mailinglists gemaakt met Mailman. Nu is er echter 1
probleem:
1 van die maillists bevat informatie die vertrouwelijk is, maar members van
de andere lijsten kunnen (onder andere) via de
On Aug 18, 2004, at 3:37 PM, Paul Vogels (E-mail) wrote:
Text in english.
We have the mailman installed.
one of them contains confidential information. But the members from
others
lists can read this information through the link at the bottom of the
email.
So they can read the other
Is anyone aware of the safety/vulnerability of these lists? Are these
appropriate to use for kids? Thanks, Jonathan
--
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ:
At 2:58 AM -0700 2004-08-11, [EMAIL PROTECTED] wrote:
Is anyone aware of the safety/vulnerability of these lists? Are
these appropriate to use for kids?
It depends on how much security you want/need. Even if you run a
closed list, anyone can spoof the sender address of a subscribed
user,
Hi,
Brendan Chard wrote:
A message went to one of my lists last night that looked very peculiar, like
a spammer. I'm hoping to get some input to see if it's something I should
be worried about or just a fluke.
The subject line however is what concerns me... it says:
get probate 123423 123355
A message went to one of my lists last night that looked very peculiar, like
a spammer. I'm hoping to get some input to see if it's something I should
be worried about or just a fluke.
I'm running Mailman 2.1.4 on FreeBSD with MailScanner and ClamAV
I have an unmoderated closed list with the
I'm a mailman users, I had installed and configure some lists in my server,
the questios is:
when i access to the list info page, and I folow a link which say Click
here for the list of Investigadores subscribers: VISIT SUBSCRIBERS LIST
I can (or who folow the link) modify the properties of any
Hello,
I created an announce-only list. To do this in 'Privacy section' I set
the moderation on, the poster receives a rejection notice which explains
that this is an announce-only list.
In 'membership management' I disabled moderation for people who should
be able to send msgs to the list.
To answer my own question.
There's an entry in the FAQ on this.
http://www.python.org/cgi-bin/faqw-mm.py?req=all#3.11
Best thing to do is use the approve header or an approve line in the
msg.
However I would like to know if a seperate moderation would be possible.
Or alternatively restrict the
On Mon, Jun 16, 2003 at 11:57:29AM +0200, Jeroen Valcke wrote:
Best thing to do is use the approve header or an approve line in the
msg.
IMHO, the problem with the approve passwd is that anybody who knows (or
guesses) the approve passwd can post to the list.
So even non-members can post when
I took a quick look at the FAQ and didn't spot this one (although it might
still be there). I suddenly need to change one of my lists to
moderated. But I'm not thrilled about giving him full access to the
administrative interface. Is there a way I can give him access to
Administrative
On Sat, 08 Dec 2001 21:25:43 -0500
J Barnes [EMAIL PROTECTED] wrote:
I took a quick look at the FAQ and didn't spot this one (although
it might still be there). I suddenly need to change one of my
lists to moderated. But I'm not thrilled about giving him full
access to the administrative
Hi
We have two more or less identical machines with very similar software
installs - both Mandrake 7.0, both have had exactly the same security
fixes (mostly to BIND), both run Apache 1.3.9 with mod_jserv as user
webserver, group webserver (201, 201 in both cases).
Recently we've installed
70 matches
Mail list logo
