Re: [Mailman-Users] any info on this reported exploit?

At 10:14 PM -0500 2006-01-29, Jim Popovitch wrote: > Well, I disagree with the current procedure, which based on past emails, > suggests that no one is kept informed about security concerns, and only > those that hear about one on their own can get a private response by > emailing mailman-secu

Re: [Mailman-Users] any info on this reported exploit?

At 10:11 PM -0500 2006-01-29, Jim Popovitch quoted Stephen J. Turnbull: >> And if three people ask on mailman-security? There's a short post to >> mailman-users, and it ends up in the faq, because it's a PITA for the >> developers to keep answering it. >> What's wrong with that? > > Nothing,

Re: [Mailman-Users] any info on this reported exploit?

> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: Jim> BTW, just who are the members of mailman-security? It's a self-selecting group, though not a terribly secret one; I believe the membership of that list has been described, if not explicitly listed, in the past. But I know Barry we

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > If we insist that everyone follow the proper procedure every time, > then we shouldn't have any problems. Well, I disagree with the current procedure, which based on past emails, suggests that no one is kept informed about security concerns, and only those that hear about

Re: [Mailman-Users] any info on this reported exploit?

Stephen J. Turnbull wrote: >> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: > > Jim> She was asking a very important question about something that > Jim> was already public. > > What important question? I quote Diana from her original email that sparked this thread: "The notice sugg

Re: [Mailman-Users] any info on this reported exploit?

> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: Jim> She was asking a very important question about something that Jim> was already public. What important question? It's an easy to execute exploit (in fact, it occasionally happens due to ordinary mail, that's why it was found an

Re: [Mailman-Users] any info on this reported exploit?

<> THANK you, Brad!! I think all Admins/Owners have same prob at one time or another-;( Ed -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/

Re: [Mailman-Users] any info on this reported exploit?

At 4:10 PM -0500 2006-01-29, Jim Popovitch wrote: > But, Diana wasn't emailing sensitive info. She was asking a very > important question about something that was already public. You then > told her that she should have gone to the secret-handshake club. Are > you suggesting that all "Hey,

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > At 2:11 PM -0500 2006-01-28, Jim Popovitch wrote: > >> The whole reason for me waxing so passionately on this thread is the >> earlier suggestion that Diana shouldn't have even emailed mailman-users, >> but rather mailman-security and kept it quiet thereafter (this after i

Re: [Mailman-Users] any info on this reported exploit?

> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: Jim> Stephen J. Turnbull wrote: >> Oh, if you prefer windstorms, hurricane is a bad analogy. Far >> more accurate is "tornado".<0.1 wink> Jim> Hurricane is the most accurate analogy, because with Jim> hurricanes nobody

Re: [Mailman-Users] any info on this reported exploit?

At 2:11 PM -0500 2006-01-28, Jim Popovitch wrote: > The whole reason for me waxing so passionately on this thread is the > earlier suggestion that Diana shouldn't have even emailed mailman-users, > but rather mailman-security and kept it quiet thereafter (this after it > was already released o

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > > Some blackhats will already know, but there will be others that don't > -- and who would never know until the first official announcement > goes out. > > No matter what, that first official announcement increases the > exposure of the security weakness. That is an unesca

Re: [Mailman-Users] any info on this reported exploit?

At 10:31 AM -0500 2006-01-28, Jim Popovitch wrote: >> But when they make that initial announcement, assuming no one else >> has posted something to some other mailing list, they're basically firing >> the starter's pistol for the blackhats to race to locate the bug and >> start exploiting

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > But on Monday, they may not know how long it will take them to > create a patch. It might turn out to be a simple matter that can be > fixed by Tuesday morning, or it might be complex and take weeks or months. > > But when they make that initial announcement, assum

Re: [Mailman-Users] any info on this reported exploit?

At 12:43 AM -0500 2006-01-28, Jim Popovitch wrote: > No. What I am suggesting/recommending is this: If the developers know > on Monday of some super secret issue, and presumably they won't have a > robust fully-tested solution until Friday, I want them to tell me in > no-detail to alert me t

Re: [Mailman-Users] any info on this reported exploit?

Stephen J. Turnbull wrote: >> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: > > Oh, if you prefer windstorms, hurricane is a bad analogy. Far more > accurate is "tornado".<0.1 wink> Hurricane is the most accurate analogy, because with hurricanes nobody knows about them until the NWS (a

Re: [Mailman-Users] any info on this reported exploit?

> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: Jim> Stephen J. Turnbull wrote: >> 5. Security patches are asynchronous, like earthquakes, they >> happen when they happen. Jim> Very bad analogy. Hurricanes would be better. There is Jim> plenty of potential for use

Re: [Mailman-Users] any info on this reported exploit?

Jim Popovitch wrote: > Brad Knowles wrote: >> At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: >> 5. Security patches are asynchronous, like earthquakes, they happen when they happen. >>> >>> Very bad analogy. Hurricanes would be better. There is plenty of >>> potential for user-

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: > >>> 5. Security patches are asynchronous, like earthquakes, they happen >>> when they happen. >> >> Very bad analogy. Hurricanes would be better. There is plenty of >> potential for user-base warning before a patch i

Re: [Mailman-Users] any info on this reported exploit?

At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: >> 5. Security patches are asynchronous, like earthquakes, they happen >> when they happen. > > Very bad analogy. Hurricanes would be better. There is plenty of > potential for user-base warning before a patch is to be released. No

Re: [Mailman-Users] any info on this reported exploit?

Stephen J. Turnbull wrote: > > 5. Security patches are asynchronous, like earthquakes, they happen > when they happen. Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. > If the patch comes out on Friday at 4:45

Re: [Mailman-Users] any info on this reported exploit?

> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes: Jim> I guess we just see system administration from different Jim> angles, I prefer communication to silence. Of course. So does everybody. Specifically, so do the crackers. Jim> Barry/Tokio/Mark: Folks, yesterday we were inf

Re: [Mailman-Users] any info on this reported exploit?

At 1:00 AM -0500 2006-01-27, Jim Popovitch wrote: > I'm pretty sure that the > "insiders" fix their systems first, then tell the rest of us about the > patch, probably at the last minute possible. The "insiders" here are people like Barry, To

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > > There is a QA process that such patches need to go through, even if > we're talking about a bug that is being currently being exploited widely. > > In fact, the more it's being exploited, and the more dangerous it > is, I think the more testing needs to be done t

Re: [Mailman-Users] any info on this reported exploit?

At 9:05 PM -0500 2006-01-26, Jim Popovitch wrote: >> Fortunately, in this case it is a known issue (which others have >> apparently decided to portray in a very different way), and which has >> already been addressed (as described by Tokio). > > OK, but what about the next one? What do M

Re: [Mailman-Users] any info on this reported exploit?

Mark Sapiro wrote: > Jim Popovitch wrote: >> OK, but what about the next one? What do Mailman system admins do, wait? > > Yes, I think so. The alternative is everyone goes off half-cocked and > you have a situation such as occurred about a year ago with the > CAN-2005-0202 issue

Re: [Mailman-Users] any info on this reported exploit?

Jim Popovitch wrote: > >OK, but what about the next one? What do Mailman system admins do, wait? Yes, I think so. The alternative is everyone goes off half-cocked and you have a situation such as occurred about a year ago with the CAN-2005-0202 issue . In this

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > > Fortunately, in this case it is a known issue (which others have > apparently decided to portray in a very different way), and which has > already been addressed (as described by Tokio). OK, but what about the next one? What do Mailman system admins do, wait? -Jim

Re: [Mailman-Users] any info on this reported exploit?

At 5:53 PM -0500 2006-01-26, Jim Popovitch wrote: > Fair enough. I would like to find a way for myself (and other Mailman > admins) to be in that appropriate place. This doesn't mean all Mailman > users, perhaps their should be a pre-screened > [EMAIL PROTECTED] list. IMO, this is t

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > At 3:28 PM -0500 2006-01-26, Jim Popovitch wrote: > >> OK, that makes some sense to keep it hush-hush for a while. HOWEVER, >> what >> is the process for notifying Mailman admins of temporary workarounds for >> this and any other situation? I honestly don't want to wait

Re: [Mailman-Users] any info on this reported exploit?

At 3:28 PM -0500 2006-01-26, Jim Popovitch wrote: > OK, that makes some sense to keep it hush-hush for a while. HOWEVER, what > is the process for notifying Mailman admins of temporary workarounds for > this and any other situation? I honestly don't want to wait for an > official patch if th

Re: [Mailman-Users] any info on this reported exploit?

At 4:40 PM -0500 2006-01-26, Jim Popovitch wrote: >> >>http://sourceforge.net/tracker/index.php?func=detail&aid=1123383&group_id=103&atid=300103 > > Excellent addition to Mailman. I presume this will wind up in the > distribution one day? There is a slightly older version of the scrip

Re: [Mailman-Users] any info on this reported exploit?

Tokio Kikuchi wrote: > [snip] > > This is the mechanism of "Denial of Service". Thank you Tokio for the very detailed info. > Therefore, the site administrator should check the qfiles/shunt > directory and the logs/error file periodically. > > Brad Knowls' Daily Status Report should help in t

Re: [Mailman-Users] any info on this reported exploit?

Thank you for your prompt response and suggestion! ~~~ Diana Mayer Orrick email: [EMAIL PROTECTED] University Computing Services ph: (850) 644-2591 Florida State University fax: (850) 644-8722 ~

Re: [Mailman-Users] any info on this reported exploit?

Hi, Diana Orrick wrote: > http://www.securityfocus.com/bid/16248/discuss > > GNU Mailman Large Date Data Denial Of Service Vulnerability > > GNU Mailman is prone to a denial of service attack. This issue affects the > email date parsing functionality of Mailman. > > The vulnerability could be t

Re: [Mailman-Users] any info on this reported exploit?

Brad Knowles wrote: > All security-related questions should be handled in accordance > with FAQ 1.27, see > . OK, that makes some sense to keep it hush-hush for a while. HOWEVER, what is the process for notifying Mailm

Re: [Mailman-Users] any info on this reported exploit?

At 1:05 PM -0500 2006-01-26, Diana Orrick wrote: > http://www.securityfocus.com/bid/16248/discuss > > GNU Mailman Large Date Data Denial Of Service Vulnerability > > GNU Mailman is prone to a denial of service attack. This issue affects the > email date parsing functionality of Mailman. > > T

[Mailman-Users] any info on this reported exploit?

http://www.securityfocus.com/bid/16248/discuss GNU Mailman Large Date Data Denial Of Service Vulnerability GNU Mailman is prone to a denial of service attack. This issue affects the email date parsing functionality of Mailman. The vulnerability could be triggered by mailing list posts and will