--- Begin Message ---Hi!I would appreciate, if could post my mail to the developers list, because if the reply-to is set to that list, I guess, it belongs there. ;-) TIA. Kind regards, Axel Beckert -- ------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 ---------------------------------------------------------------- Begin Message ---You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at [EMAIL PROTECTED]--- Begin Message ---Hi! I already patched our servers yesterday after the mail on full-disclosure about it being hacked. (See http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.) The patch mentioned there is without doing the syslog entry, but in general it does the same. I just want to share my experiences with the patch: Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb: > There is a critical security flaw in Mailman 2.1.5 and earlier Mailman > 2.1 versions As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable, too. > which can allow remote attackers to gain access to member passwords > under certain conditions. Not only to member passwords but to any file readable by the user under which the Mailman CGI scripts are running, e.g. /etc/passwd on many systems. > Until Mailman 2.1.6 is released, the longer term fix is to apply > this patch: > > http://www.list.org/CAN-2005-0202.txt Which unfortunately only works with Python 2. Python 1 (respective at least 1.5.2) complains about syntax errors. (Which, in fact, also helps against the vulnerability by displaying the "You've found a Mailman bug" page. ;-) Is there any patch which complies with Python 1 syntax? P.S.: Please CC replies to me, since I'm only on the Mailman announcement mailing list. Kind regards, Axel Beckert -- ------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 -------------------------------------------------------------
--- End Message ---
--- End Message ---
--- End Message ---
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
