FAQ
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
2.1 versions which can allow remote attackers to gain access to member
passwords under certain conditions. The extent of the vulnerability
depends on what version of Apache you are running, and (possibly) how
you have configured your web server. However, the flaw is in Mailman
and has been fix in CVS and will be included in the Mailman 2.1.6
release.

This issue has been assigned CVE number CAN-2005-0202.

We currently believe that Apache 2.0 sites are not vulnerable, and that
many if not most Apache 1.3 sites are. In any event, the safest
approach is to assume the worst and take the remediation steps indicated
below as soon as possible.

The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
executable. This will disable all access to all private archives on
your system. While this is the quickest and easiest way to close the
hole, it will also break all your private archives. If all the lists on
your site only run public archives, this won't matter to you.

Until Mailman 2.1.6 is released, the longer term fix is to apply this
patch:

http://www.list.org/CAN-2005-0202.txt

For additional piece of mind, it is recommended that you regenerate your
member passwords. Instructions on how to do this, and more information
about this vulnerability are available here:

http://www.list.org/security.html

My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec.
This issue was found by Marcus Meissner.

-Barry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/mailman-users/attachments/20050210/4f0f07e1/attachment.pgp

Search Discussions

  • AJ at Feb 10, 2005 at 3:17 pm
    Can this be applied to any 2.1 release?
    I am running 2.1 at the moment.

    Thanks.
    Until Mailman 2.1.6 is released, the longer term fix is to apply this
    patch:

    http://www.list.org/CAN-2005-0202.txt
  • Ralf Hildebrandt at Feb 10, 2005 at 3:14 pm

    * AJ <aj at mindcrash.com>:
    Can this be applied to any 2.1 release?
    I am running 2.1 at the moment.
    The patch is very small, so I'd think yes.
    --
    Ralf Hildebrandt (i.A. des IT-Zentrum) Ralf.Hildebrandt at charite.de
    Charite - Universit?tsmedizin Berlin Tel. +49 (0)30-450 570-155
    Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
    IT-Zentrum Standort CBF send no mail to spamtrap at charite.de
  • AJ at Feb 10, 2005 at 3:40 pm
    OK, thanks. With no modifications it did not apply, but I can probably get it
    to work. It shouldn't cause any issues w/ 2.1 should it?

    Thanks.

    Quoting Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:
    * AJ <aj at mindcrash.com>:
    Can this be applied to any 2.1 release?
    I am running 2.1 at the moment.
    The patch is very small, so I'd think yes.
    --
  • John Dennis at Feb 10, 2005 at 3:55 pm
    To answer a few recent questions.

    To the best of my knowledge the patch is safe for any version of mailman
    that contains the function true_path in private.py.

    You will not see a new .pyc or .pyo file generated until the script is
    executed for the first time after the change. In other words until
    someone logs into a private archive for the first time. If you're really
    concerned about the old .pyc or .pyo files you can manually remove them.

    --
    John Dennis <jdennis at redhat.com>
  • John Swartzentruber at Feb 10, 2005 at 3:34 pm

    On 2/10/2005 9:41 AM Barry Warsaw wrote:
    Until Mailman 2.1.6 is released, the longer term fix is to apply this
    patch:

    http://www.list.org/CAN-2005-0202.txt
    Could an expert please help out a non-expert? I applied this patch to
    /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly
    patched. I'm not sure that this is enough, however, because the
    private.pyc file wasn't changed, even after I restarted mailman. Should
    I have patched the private.py file in the source, then gone through the
    "make" and "make install" process?

    In short, how should this patch be applied?
  • Dave at Feb 10, 2005 at 4:03 pm

    On Thu, 10 Feb 2005, John Swartzentruber wrote:
    On 2/10/2005 9:41 AM Barry Warsaw wrote:
    Until Mailman 2.1.6 is released, the longer term fix is to apply this
    patch:

    http://www.list.org/CAN-2005-0202.txt
    Could an expert please help out a non-expert? I applied this patch to
    /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched.
    I'm not sure that this is enough, however, because the private.pyc file
    wasn't changed, even after I restarted mailman. Should I have patched the
    private.py file in the source, then gone through the "make" and "make
    install" process?
    Edit $MAILMAN/Mailman/Cgi/private.py (probably wise to save the orig)
    Where you see lines in the diff beginning with "-", remove those lines,
    Where you see lines in the diff beginning with "+", add those lines,

    Once the edit is complete, stop and restart the qrunner (perhaps its
    /etc/init.d/mailman or $MAILMAN/bin/mailmanctl depending on how you're
    set up.


    The pyc will only get remade when needed and since this only affects lists
    with archives, try going to some list of yours with an archive.

    The original patch I saw on the net seems to work fine but doesn't log the
    hack attempts to the $MAILMAN/logs/mischief file. Here it is:

    ----------------------------------------------------
    i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


    SLASH = '/'

    def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]
    -----------------------------------------------------

    The one from the diffs looks like this:

    ----------------------------------------------------
    i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


    ^L
    SLASH = '/'

    def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = path.split(SLASH)
    safe = [x for x in parts if x not in ('.', '..')]
    if parts <> safe:
    syslog('mischief', 'Directory traversal attack thwarted')
    return SLASH.join(safe)[1:]

    ------------------------------------------------------

    If I got any of the above wrong, I apology; please lemme know.
    We're all in this together


    =-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
    David Stern University of Maryland
    Institute for Advanced Computer Studies
  • John Swartzentruber at Feb 10, 2005 at 4:12 pm

    On 2/10/2005 11:03 AM dave at umiacs.umd.edu wrote:
    The pyc will only get remade when needed and since this only affects lists
    with archives, try going to some list of yours with an archive.
    Thank you (and to Dan Phillips who replied privately). When I accessed a
    private archive the .pyc file was remade as you said it would be.
  • Thomas Waters at Feb 10, 2005 at 4:34 pm
    I'd like to issue a similar plea for assistance. I have Mailman 2.1.3
    (default install on Panther Server) If a very basic set of
    instructions could be prepared, step 1, step 2, step 3.. it would be
    extremely helpful.
    On Feb 10, 2005, at 10:34 AM, John Swartzentruber wrote:
    On 2/10/2005 9:41 AM Barry Warsaw wrote:
    Until Mailman 2.1.6 is released, the longer term fix is to apply this
    patch:
    http://www.list.org/CAN-2005-0202.txt
    Could an expert please help out a non-expert? I applied this patch to
    /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly
    patched. I'm not sure that this is enough, however, because the
    private.pyc file wasn't changed, even after I restarted mailman.
    Should I have patched the private.py file in the source, then gone
    through the "make" and "make install" process?

    In short, how should this patch be applied?

    ------------------------------------------------------
    Mailman-Users mailing list
    Mailman-Users at python.org
    http://mail.python.org/mailman/listinfo/mailman-users
    Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
    Searchable Archives:
    http://www.mail-archive.com/mailman-users%40python.org/
    Unsubscribe:
    http://mail.python.org/mailman/options/mailman-users/
    rxweb%2B%40pitt.edu
    NOTE: new email address
    --
    Thomas Waters
    Director of Information and Communication Services
    University of Pittsburgh School of Pharmacy
    412-383-7471
    waterstc at pitt.edu
    http://www.pharmacy.pitt.edu
  • Axel Beckert at Feb 10, 2005 at 7:55 pm
    Hi!

    I already patched our servers yesterday after the mail on
    full-disclosure about it being hacked. (See
    http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.)
    The patch mentioned there is without doing the syslog entry, but in
    general it does the same.

    I just want to share my experiences with the patch:
    Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
    There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
    2.1 versions
    As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
    too. (As the subject of the announcement also suggested.)
    which can allow remote attackers to gain access to member passwords
    under certain conditions.
    Not only to member passwords but to any file readable by the user
    under which the Mailman CGI scripts are running, e.g. /etc/passwd on
    many systems.
    Until Mailman 2.1.6 is released, the longer term fix is to apply
    this patch:

    http://www.list.org/CAN-2005-0202.txt
    Which unfortunately only works with Python 2.

    Python 1 (respective at least 1.5.2) complains about syntax
    errors. (Which, in fact, also helps against the vulnerability by
    displaying the "You've found a Mailman bug" page. ;-)

    Is there any patch which complies with Python 1 syntax? (Sorry,
    although I patched some "features" in Mailman once, I'm not the
    Python guy. :)

    Kind regards, Axel Beckert
    --
    -------------------------------------------------------------
    Axel Beckert ecos electronic communication services gmbh
    it security solutions * web applications with apache and perl

    Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz
    E-Mail: beckert at ecos.de Voice: +49 6133 939-220
    WWW: http://www.ecos.de/ Fax: +49 6133 939-333
    -------------------------------------------------------------
  • Tokio Kikuchi at Feb 11, 2005 at 1:06 am
    Hi,
    As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
    too. (As the subject of the announcement also suggested.)
    Which unfortunately only works with Python 2.

    Python 1 (respective at least 1.5.2) complains about syntax
    errors. (Which, in fact, also helps against the vulnerability by
    displaying the "You've found a Mailman bug" page. ;-)
    Change the true_path function as:

    def true_path(path):
    "Ensure that the path is safe by removing .."
    import re
    path = re.sub('\.+/+', '', path)
    return path[1:]


    and try. Sorry but I have no 2.0.x around but only found a machine which
    have working Python 1.x installed.

    --
    Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
    http://weather.is.kochi-u.ac.jp/
  • Axel Beckert at Feb 11, 2005 at 8:13 am
    Hi!
    Am Fri, Feb 11, 2005 at 10:06:55AM +0900, Tokio Kikuchi schrieb:
    Python 1 (respective at least 1.5.2) complains about syntax
    errors. (Which, in fact, also helps against the vulnerability by
    displaying the "You've found a Mailman bug" page. ;-)
    Change the true_path function as:

    def true_path(path):
    "Ensure that the path is safe by removing .."
    import re
    path = re.sub('\.+/+', '', path)
    return path[1:]

    and try.
    Perfect. Thanks! And I've even learned a little bit more Python today. :-)
    Sorry but I have no 2.0.x around
    Probably doesn't matter. The function is exactly the same as in 2.1.5.
    but only found a machine which have working Python 1.x installed.
    Thanks for searching.

    Kind regards, Axel Beckert
    --
    -------------------------------------------------------------
    Axel Beckert ecos electronic communication services gmbh
    it security solutions * web applications with apache and perl

    Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz
    E-Mail: beckert at ecos.de Voice: +49 6133 939-220
    WWW: http://www.ecos.de/ Fax: +49 6133 939-333
    -------------------------------------------------------------

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedFeb 10, '05 at 2:41p
activeFeb 11, '05 at 8:13a
posts12
users9
websitelist.org

People

Translate

site design / logo © 2022 Grokbase