Thank you for your prompt response and suggestion!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Diana Mayer Orrick email: [EMAIL PROTECTED] University Computing Services ph: (850) 644-2591 Florida State University fax: (850) 644-8722 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Fri, 27 Jan 2006, Tokio Kikuchi wrote: > Hi, > > Diana Orrick wrote: > > http://www.securityfocus.com/bid/16248/discuss > > > > GNU Mailman Large Date Data Denial Of Service Vulnerability > > > > GNU Mailman is prone to a denial of service attack. This issue affects the > > email date parsing functionality of Mailman. > > > > The vulnerability could be triggered by mailing list posts and will impact > > the availability of mailing lists hosted by the application. > > ______________________________________________________________________ > > this notice was from [EMAIL PROTECTED]: > > > > 06.3.18 CVE: CVE-2005-4153 > > Platform: Unix > > Title: GNU Mailman Large Date Data Denial of Service > > Description: Mailman is software to help manage email discussion > > lists, much like Majordomo and SmartList. The application is exposed > > to a denial of service issue when it attempts to parse very large > > numbers of dates contained in email messages. All current versions are > > affected. > > Ref: http://www.securityfocus.com/bid/16248 > > ______________________________________________________________________ > > Once it was only a "bug" which could cause nuisance in administrative > task. Now they start to call it a "DoS" and threaten us. ;-) > > Mailman sends messages in both regular and digest delivery. The digest > processing is inserted in the middle of regular delivery if the messages > accumulated to a preset amount. If there is a serious error in the > digest processing, the regular delivery fails. Since the messages are > accumulated already, arrival of following message triggers the digest > processing again and also fail in the subsequent regular delivery. > > This is the mechanism of "Denial of Service". > > Therefore, the site administrator should check the qfiles/shunt > directory and the logs/error file periodically. > > Brad Knowls' Daily Status Report should help in this respect. I really > want to rewrite it in python and include in the official cron jobs (if I > had enough time before the next release of mailman 2.2). > http://sourceforge.net/tracker/index.php?func=detail&aid=1123383&group_id=103&atid=300103 > > Mailman has many check points that prevents such a malicious messages to > be passed through and site/list admins could be able to find workarounds. > > But, from mailman-2.1.7, we solved the problem by separating the error > from regular delivery by the python "try-except" techique. The digest > delivery will be still stopped by the malicious message but this should > be notified to the site administrator by the cron/senddigests command. > > So, the answer to this CVE is "upgrade to 2.1.7." > > We found mailman-2.1.7 still has a few bugs and also uploaded an > official patch: > http://sourceforge.net/tracker/index.php?func=detail&aid=1405790&group_id=103&atid=300103 > I hope we can announce mailman-2.1.8a1 very soon. > > > > > -------------------------------------------------------------- > > We are running Mailman 2.1.5 and have just found extraordinary > > IO wait issues requiring shutdown|restart of Mailman. > > This may or may not related to the DoS issue. I suggest checking lock > files, shunt directory, and pending requests and search mailman FAQ. > > > > > The notice suggests all versions are vulnerable, is this the case? > > If so, suggested workaround? Patch/upgrade coming? > > Mailman-2.1.7 is not vulnerable to this issue. > > Cheers, > > -- > Tokio Kikuchi > ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
