http://sourceforge.net/tracker/?func=detail&aid=444884&group_id=103&atid=300103
The changes close a security exploit pointed out to me by Rupa Schomaker <[EMAIL PROTECTED]>.
The substance of the exploit is that an unauthorized user could construct an HTTP request which would get htdig's htsearch program to return search results for a private list archive. The search results page could thus reveal information to an unauthorized user, even though the htdig.py CGI script would refuse to serve the archive page pointed to by the links on the htsearch results page.
With the amended patch, htsearch is now invoked by a new security wrapper which prevents this exploit. Without the wrapper htsearch is unable to access the per-list htdig config files. The security wrapper ensures the user requesting the search is authorized to see the list's archive before allowing the search.
Any problems with this new patch version, let me know.
But do read the instructions in the file INSTALL.htdig-mm installed by the patch. There are specific notes about updating an existing MM installation which has had an earlier version of patch #444884 applied to it.
------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
This message was sent to: [EMAIL PROTECTED] Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
