[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ANNOUNCE Mailman 2.0.6
Barry A. Warsaw
ANNOUNCE Mailman 2.0.6
Wed, 25 Jul 2001 16:09:46 -0400
I've just released version 2.0.6 of Mailman, the GNU Mailing List
Manager. Mailman is released under the GNU General Public License
(GPL). Version 2.0.6 fixes a potential security problem in Mailman
2.0.x, and includes a few other minor bug fixes.
It is possible, although unlikely, that you could have an empty site
password, or an empty list password. Because of peculiarities in the
Unix crypt() function, such empty passwords could allow unauthorized
access to the list administrative pages with an arbitrary password
string. This situation does not occur normally, but it is possible to
create it by accident (e.g. by touch'ing data/adm.pw).
This patch ensures that such empty passwords do not allow unauthorized
access, by first checking to make sure that the salt is at least 2
characters in length. Alternatively, you can make sure that either
data/adm.pw does not exist or that it is not empty. For the extra
paranoid, you'd need to be sure that none of your lists have empty
passwords, but that's an even more difficult situation to create by
This patch guards against both situations. (Please note that Mailman
2.1alpha is not vulnerable to this problem because it does not use
A few other minor bugs have been fixed; see the NEWS excerpt below for
Mailman 2.0.6 is being released as both a gzip'd source tarball and as
a patch file.
GNU Mailman is software to help manage electronic mail discussion
lists. Mailman gives each mailing list a unique web page and allows
users to subscribe, unsubscribe, and change their account options over
the web. Even the list manager can administer his or her list
entirely via the web. Mailman has most of the features that people
want in a mailing list management system, including built-in
archiving, mail-to-news gateways, spam filters, bounce detection,
digest delivery, and so on.
Mailman is compatible with most web servers, web browsers, and mail
servers. It runs on GNU/Linux and should run on any other Unix-like
operating system. Mailman 2.0.6 requires Python 1.5.2 or newer. To
install Mailman from source, you will need a C compiler.
For more information on Mailman, including links to file downloads,
please see the Mailman WWW page: http://www.gnu.org/software/mailman
And its mirrors at:
Downloads are available at
There are email lists (managed by Mailman, of course!) for both
Mailman users and developers. See the web sites above for details.
- Fixed a potential security hole which could allow access to list
administrative features by unauthorized users. If there is an
empty data/adm.pw file (the site password file), then any
password will be accepted as the list administrative password.
This exploit is caused by a common "bug" in the crypt() function
suffered by several Unix distributions, including at least
GNU/Linux and Solaris. Given a salt string of length zero,
crypt() always returns the empty string.
In lieu of applying this patch, sites can run bin/mmsitepass and
ensure that data/adm.pw is of length 2 or greater.
- Ensure that even if DEFAULT_URL is misconfigured in mm_cfg.py
(i.e. is missing a trailing slash), it is always fixed upon list
- Check for administrivia holds before any other tests.
- SF bugs fixed: 407666, 227694
- Other miscellaneous buglets fixed.
|[Prev in Thread]
||[Next in Thread]|
- ANNOUNCE Mailman 2.0.6,
Barry A. Warsaw <=