On 03/27/2015 02:42 PM, Mark Sapiro wrote: > A security vulnerability in Mailman has been found and fixed. It has > been assigned CVE-2015-2775. The details of this vulnerability and fix > will be announced next Tuesday, 31 March 2015, at which time both a > patch for this specific vulnerability and Mailman 2.1.20 will be released.
Here is more information. The report at <https://launchpad.net/bugs/1437145> is now public. Your installation is only vulnerable if both of the following are true. 1) Delivery of list mail to mailman from the MTA uses some kind of programmatic method as opposed to fixed aliases. This includes Exim with the recommended transport, Postfix with the postfix_to_mailman.py transport and qmail with the qmail-to-mailman.py transport. 2) Untrusted users are able to create files on the Mailman server that are accessible to Mailman. These can be in a user's home directory or /tmp or anywhere that can be accessed via a path like /path/to/mailman/lists/../../../../../../../../path/to/directory. Installations most at risk likely include hosting services using cPanel with untrusted users. Outside of those, the majority of sites are probably not vulnerable. This vulnerability is fixed by the patch in the attached file. This patch will apply with at most a line number offset to the Utils.py module in any Mailman 2.1.x version that doesn't already have it. If your Mailman version is 2.1.11 or later, just apply the patch to Mailman/Utils.py and restart Mailman. For versions older than 2.1.11, the setting mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS referenced in the patch doesn't exist, so you also need to add ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' to Defaults.py or mm_cfg.py before restarting Mailman. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2015-01-23 23:50:47 +0000
+++ Mailman/Utils.py 2015-03-27 18:14:06 +0000
@@ -100,6 +100,12 @@
#
# The former two are for 2.1alpha3 and beyond, while the latter two are
# for all earlier versions.
+ #
+ # But first ensure the list name doesn't contain a path traversal
+ # attack.
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+ syslog('mischief', 'Hostile listname: %s', listname)
+ return False
basepath = Site.get_listpath(listname)
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
dbfile = os.path.join(basepath, 'config' + ext)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
