From: barry@zope.com (Barry A. Warsaw) To: python-announce-list@python.org Subject: ANNOUNCE Mailman 2.0.6 Date: Wed, 25 Jul 2001 16:06:20 -0400 Cc: python-list@python.org I've just released version 2.0.6 of Mailman, the GNU Mailing List Manager. Mailman is released under the GNU General Public License (GPL). Version 2.0.6 fixes a potential security problem in Mailman 2.0.x, and includes a few other minor bug fixes. It is possible, although unlikely, that you could have an empty site password, or an empty list password. Because of peculiarities in the Unix crypt() function, such empty passwords could allow unauthorized access to the list administrative pages with an arbitrary password string. This situation does not occur normally, but it is possible to create it by accident (e.g. by touch'ing data/adm.pw). This patch ensures that such empty passwords do not allow unauthorized access, by first checking to make sure that the salt is at least 2 characters in length. Alternatively, you can make sure that either data/adm.pw does not exist or that it is not empty. For the extra paranoid, you'd need to be sure that none of your lists have empty passwords, but that's an even more difficult situation to create by accident. This patch guards against both situations. (Please note that Mailman 2.1alpha is not vulnerable to this problem because it does not use crypt().) A few other minor bugs have been fixed; see the NEWS excerpt below for details. Mailman 2.0.6 is being released as both a gzip'd source tarball and as a patch file. GNU Mailman is software to help manage electronic mail discussion lists. Mailman gives each mailing list a unique web page and allows users to subscribe, unsubscribe, and change their account options over the web. Even the list manager can administer his or her list entirely via the web. Mailman has most of the features that people want in a mailing list management system, including built-in archiving, mail-to-news gateways, spam filters, bounce detection, digest delivery, and so on. Mailman is compatible with most web servers, web browsers, and mail servers. It runs on GNU/Linux and should run on any other Unix-like operating system. Mailman 2.0.6 requires Python 1.5.2 or newer. To install Mailman from source, you will need a C compiler. For more information on Mailman, including links to file downloads, please see the Mailman WWW page: http://www.gnu.org/software/mailman And its mirrors at: http://mailman.sourceforge.net http://www.list.org Downloads are available at http://sourceforge.net/project/shownotes.php?release_id=45268 There are email lists (managed by Mailman, of course!) for both Mailman users and developers. See the web sites above for details. Enjoy, -Barry 2.0.6 (25-Jul-2001) Security fix: - Fixed a potential security hole which could allow access to list administrative features by unauthorized users. If there is an empty data/adm.pw file (the site password file), then any password will be accepted as the list administrative password. This exploit is caused by a common "bug" in the crypt() function suffered by several Unix distributions, including at least GNU/Linux and Solaris. Given a salt string of length zero, crypt() always returns the empty string. In lieu of applying this patch, sites can run bin/mmsitepass and ensure that data/adm.pw is of length 2 or greater. Bug fixes: - Ensure that even if DEFAULT_URL is misconfigured in mm_cfg.py (i.e. is missing a trailing slash), it is always fixed upon list creation. - Check for administrivia holds before any other tests. - SF bugs fixed: 407666, 227694 - Other miscellaneous buglets fixed. -- http://mail.python.org/mailman/listinfo/python-announce-list