exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

000072.html

000072.html
Posted May 26, 2004

An unspecified vulnerability in Mailman versions 2.1.4 and below allow for malicious attackers to retrieve members' passwords.

tags | advisory
SHA-256 | d93d0fd773be8e5e62c7acbccec1ae4f85da4d7dd8ac94bd2a34545fc912a747

000072.html

Change Mirror Download
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mailman-Announce] RELEASED Mailman 2.1.5
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mailman-announce%40python.org?Subject=%5BMailman-Announce%5D%20RELEASED%20Mailman%202.1.5&In-Reply-To=">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">


</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mailman-Announce] RELEASED Mailman 2.1.5</H1>
<B>Barry Warsaw</B>
<A HREF="mailto:mailman-announce%40python.org?Subject=%5BMailman-Announce%5D%20RELEASED%20Mailman%202.1.5&In-Reply-To="
TITLE="[Mailman-Announce] RELEASED Mailman 2.1.5">barry at python.org
</A><BR>
<I>Sat May 15 19:22:53 EDT 2004</I>
<P><UL>


<LI> <B>Messages sorted by:</B>
<a href="date.html#72">[ date ]</a>
<a href="thread.html#72">[ thread ]</a>
<a href="subject.html#72">[ subject ]</a>
<a href="author.html#72">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Today I am releasing Mailman 2.1.5, a bug fix release that also contains
new support for the Turkish language, and a few minor new features.
Mailman 2.1.5 is a significant upgrade which should improve disk i/o
performance, administrative overhead for discarding held spams, and the
behavior of bouncing member disables. This version also contains a fix
for an exploit that could allow 3rd parties to retrieve member
passwords. It is thus highly recommended that all existing sites
upgrade to the latest version.

The full source tarball, as well as a patch against Mailman 2.1.4 have
been made available. See

<A HREF="http://sourceforge.net/project/showfiles.php?group_id=103">http://sourceforge.net/project/showfiles.php?group_id=103</A>

for links to downloads.

NOTE: You will want to read the UPGRADING file for important information
regarding upgrading from earlier version to Mailman 2.1.5. A number of
internal file formats have changed so you must shut down web and mail
access to Mailman before you upgrade. You will also want to re-run
configure (i.e. config.status) before you run "make install".

See also:

<A HREF="http://www.list.org">http://www.list.org</A>
<A HREF="http://mailman.sf.net">http://mailman.sf.net</A>
<A HREF="http://www.gnu.org/software/mailman">http://www.gnu.org/software/mailman</A>

Finally, a personal note. I have left Zope Corporation to join Secure
Software, a company started by John Viega -- Mailman's original author.
Although I won't be working on Mailman in any official capacity, it is
exciting to be working with him and the rest of the folks there. I
leave Zope Corp on a positive note and wish nothing but success for them
too.

You can find Secure Software on the web at
<A HREF="http://www.securesoftware.com.">http://www.securesoftware.com.</A> Please continue to use my
<A HREF="http://mail.python.org/mailman/listinfo/mailman-announce">barry at python.org</A> email address for all Mailman correspondences. I don't
expect much to change for the Mailman project at all.

Enjoy,
-Barry

2.1.5 (15-May-2004)

- The admindb page has a checkbox that allows you to discard all held
messages that are marked Defer. On heavy lists with lots of spam holds,
this makes clearing them much faster.

- The qrunner system has changed to use only one file per message.
However the configuration variable METADATA_FORMAT has been removed, and
support for SAVE_MSGS_AS_PICKLES has been changed. The latter no longer
writes messages as plain text. Instead, they are stored as pickles of
plain strings, using the text pickle format. This still makes them
non-binary files readable and editable by humans.

bin/dumpdb also works differently. It will print out the entire pickle
file (with more verbosity) and if used with 'python -i', it binds msg to
a list of all objects found in the pickle file.

Removed from Defaults.py: PENDINGDB_LOCK_TIMEOUT,
PENDINGDB_LOCK_ATTEMPTS, METAFMT_MARSHAL, METAFMT_BSDDB_NATIVE,
METAFMT_ASCII, METADATA_FORMAT

- The bounce processor has been redesigned so that now when an address's
bounce score reaches the threshold, that address will be sent a probe
message. Only if the probe bounces will the address be disabled. The
score is reset to zero when the probe is sent. Also, bounce events are
now kept in an event file instead of in memory. This should help
contain the bloat of the BounceRunner.

New supporting variables in Defaults.py: VERP_PROBE_FORMAT,
VERP_PROBE_REGEXP

REGISTER_BOUNCES_EVERY is promoted to a Defaults.py variable.

- The pending database has been changed from a global pickle file, to a
unique pickle file per mailing list.

- The 'request' database file has changed from a marshal, to the more
secure pickle format.

- Disallow multiple password retrievals.

- The email package is updated to version 2.5.5.

- New language: Turkish.

- Bugs and patches: 869644, 869647 (NotAMemberError for old cookie data),
878087 (bug in Slovenian catalog), 899263 (ignore duplicate pending
ids), 810675 (discard all defers button)


</PRE>

<!--endarticle-->
<HR>
<P><UL>
<!--threads-->


<LI> <B>Messages sorted by:</B>
<a href="date.html#72">[ date ]</a>
<a href="thread.html#72">[ thread ]</a>
<a href="subject.html#72">[ subject ]</a>
<a href="author.html#72">[ author ]</a>
</LI>
</UL>

<hr>
<a href="http://mail.python.org/mailman/listinfo/mailman-announce">More information about the Mailman-announce
mailing list</a><br>
</body></html>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close