Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-17 Thread Warren Woodward
For whatever its worth, it is a daily concern to me that there are common enemies out there that have far more time to keep up on exploits in certain areas than I do. I rely on this list for Mailman info. Before this afternoon, I was unaware my server, with over 400 lists and tens of thousand

[Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-17 Thread Ron Brogden
Hey folks. I haven't see an official post here yet but as this has already gone out on at least one full-disclosure list I thought it worth mentioning since this will be an actively exploited 0 day: http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html Basically, there is

Re: [Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-15 Thread Tokio Kikuchi
Hi, Barry Warsaw wrote: > On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote: > > >>I've tested with my 1.3.29 installation and verified apache PATH_INFO >>does convert '//' to '/'. Barry also wanted to clarify which apache >>version/installation (combination with mailman) is valnerable. Return

Re: [Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Brad Knowles
At 5:12 PM -0500 2005-02-14, Barry Warsaw wrote: In response to this issue, FAQ 1.27 has been updated Wow Brad, I was just about to change this to read [EMAIL PROTECTED] but you beat me to it by seconds. :) Mark had clued me in that someone had changed the security-related pages at www.list.o

Re: [Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Barry Warsaw
On Mon, 2005-02-14 at 10:23, Brad Knowles wrote: > In response to this issue, FAQ 1.27 has been updated Wow Brad, I was just about to change this to read [EMAIL PROTECTED] but you beat me to it by seconds. :) > , and the > mailman-users and mailman-developers mailing lists have likewise b

Re: [Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Barry Warsaw
On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote: > I've tested with my 1.3.29 installation and verified apache PATH_INFO > does convert '//' to '/'. Barry also wanted to clarify which apache > version/installation (combination with mailman) is valnerable. Return > code of 200 doesn't mean suce

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Jeff Donsbach
great just what we need 20 lines of .signature . On Mon, 14 Feb 2005, Brad Knowles wrote: In response to this issue, FAQ 1.27 has been updated, and the mailman-users and mailman-developers mailing lists have likewise been modified to include suitable text at the bottom of every messag

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread iane
--On February 14, 2005 07:40:29 -0800 Chuq Von Rospach <[EMAIL PROTECTED]> wrote: Again. So excuse me if I'm grumpy. I think I'm entitled. Not as much as Barry is, but he's far too polite to try to get people to behave. that's my job around here. Good on you. I was mightily pissed off when that

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Chuq Von Rospach
On Feb 14, 2005, at 4:24 AM, Florian Weimer wrote: You're trying to establish something like ownership of security bugs. No, I'm trying to get the people on this list to follow the STANDARD PROTOCOL that exists for disclosure of this data, actually. Which if people actually paid attention to ho

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Brad Knowles
At 2:09 PM +0100 2005-02-14, Florian Weimer wrote: The underlying assumption seems to be that Mailman security bugs can only be disclosed by posting them on the Mailman lists. In response to this issue, FAQ 1.27 has been updated, and the mailman-users and mailman-developers mailing lists have l

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Brad Knowles
At 2:09 PM +0100 2005-02-14, Florian Weimer wrote: The underlying assumption seems to be that Mailman security bugs can only be disclosed by posting them on the Mailman lists. We have no more control over what you say or do on other lists than any other developer. Yes, if there is a security b

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Florian Weimer
* Brad Knowles: > At 1:24 PM +0100 2005-02-14, Florian Weimer wrote: > >> Who has a say in the disclosure of a security bug? > > In terms of who can post such things to this list? Well, as one > of the core developers for Mailman, Chuq is one of the very few > people who can have an abso

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Brad Knowles
At 1:24 PM +0100 2005-02-14, Florian Weimer wrote: Who has a say in the disclosure of a security bug? In terms of who can post such things to this list? Well, as one of the core developers for Mailman, Chuq is one of the very few people who can have an absolute say in that. You're trying to

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-14 Thread Florian Weimer
* Chuq Von Rospach: > my position is simple (and unchanged): if it's not your project, don't > make strategic decisions about it. Unfortunately, the crackers that began to attack Mailman sites in January didn't respect your wishes. Who has a say in the disclosure of a security bug? The person

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-11 Thread Brad Knowles
At 1:31 PM +0100 2005-02-11, Kai Schaetzl wrote: that's the same issue as when users decide when to make announcements about mailman without consulting Barry. All of what you are saying is based on false presumptions. There was no announcement, this list is not an office owned by Barry and it's

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-11 Thread Kai Schaetzl
One last comment. I had not followed the list for quite a few weeks or longer, had a problem and opened the folder to see if it was mentioned in any of the latest postings. One of the first I came across, reading from behind, was this thread. Chuq's reply sounded quite rude to me at that time,

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-11 Thread Kai Schaetzl
Chuq Von Rospach wrote on Thu, 10 Feb 2005 08:48:23 -0800: > If you own a business, and your customers start telling your employees > when to take coffee breaks, would that upset you? What's that got to do with Mailman or this list? > > that's the same issue as when users decide when to make

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-10 Thread Chuq Von Rospach
If you own a business, and your customers start telling your employees when to take coffee breaks, would that upset you? that's the same issue as when users decide when to make announcements about mailman without consulting Barry. It's Barry's call. A lot of this comes down to the issue of peop

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-10 Thread Kai Schaetzl
Brad Knowles wrote on Thu, 10 Feb 2005 02:32:18 +0100: > However, I also take Chuq's point that all security announcements > to this list, and all related mailman mailing lists hosted on > python.org, should be made by Barry or one of the other core > developers. > This was not a "security ann

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Brad Knowles
At 10:15 PM -0800 2005-02-09, Chuq Von Rospach wrote: my position is simple (and unchanged): if it's not your project, don't make strategic decisions about it. it was barry's call. Barry and Toiko were working the issue and trying to get things ready. By having it prematurely disclosed to a wid

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Chuq Von Rospach
However, I also take Chuq's point that all security announcements to this list, and all related mailman mailing lists hosted on python.org, should be made by Barry or one of the other core developers. Even if the information has been publicly released elsewhere, it is not appropriate to post

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Brad Knowles
At 12:31 AM +0100 2005-02-10, Kai Schaetzl wrote: Either way, something like this should have been left to the project developers (i.e. barry) to disclose. Correct. But it's out and it's not Ron to blame, so I don't see a reason for slapping Ron for posting it finally to the list. There are tw

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Kai Schaetzl
Chuq Von Rospach wrote on Wed, 9 Feb 2005 12:47:34 -0800: > Either way, something like this should have been left to the project > developers (i.e. barry) to disclose. Correct. But it's out and it's not Ron to blame, so I don't see a reason for slapping Ron for posting it finally to the list.

RE: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread John Dennis
Well, as long as the cat is out of the bag, here is some info that might be helpful to folks. I was told the security alert was made public this afternoon so not much is being compromised by helping folks address the issue given its new found visibility :-( Red Hat has patched all of its Mailman rp

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Tokio Kikuchi
Hi, Ron Brogden wrote: Hey folks. I haven't see an official post here yet but as this has already gone out on at least one full-disclosure list I thought it worth mentioning since this will be an actively exploited 0 day: http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.ht

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Chuq Von Rospach
If Barry didn't know about it, disclosing it without his approval was wrong. if barry DID know, and hadn't done the disclosure himself, doing it without his approval was wrong, because Barry likely had a reason why he hadn't mentioned it yet. Either way, something like this should have been le

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Brad Knowles
At 12:08 PM -0800 2005-02-09, Ron Brogden wrote: Hello Brad. I was under the impression that the Mailman team already knew about this issue which is why I didn't go through the above procedure. That's why I said "Generally speaking". I wasn't aware that Barry had suggested a fix, or that he w

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Ron Brogden
On February 9, 2005 11:52, Brad Knowles wrote: > Generally speaking, notices of security issues should be dealt > with according to the instructions at > . Hello Brad. I was under the impression that the Mailman team already

Re: [Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Brad Knowles
At 11:19 AM -0800 2005-02-09, Ron Brogden wrote: Hey folks. I haven't see an official post here yet but as this has already gone out on at least one full-disclosure list I thought it worth mentioning since this will be an actively exploited 0 day: http://lists.netsys.com/pipermail/full-disclos

[Mailman-Users] security heads up - path traversal with 2.1.5

2005-02-09 Thread Ron Brogden
Hey folks. I haven't see an official post here yet but as this has already gone out on at least one full-disclosure list I thought it worth mentioning since this will be an actively exploited 0 day: http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html Basically, there is