Debian Bug report logs - #64841
mailman security?

version graph

Package: mailman; Maintainer for mailman is Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>; Source for mailman is src:mailman.

Reported by: Joey Hess <joeyh@debian.org>

Date: Mon, 29 May 2000 06:03:11 UTC

Severity: critical

Found in version 1.1-5

Done: Gergely Madarasz <gorgo@sztaki.hu>

Bug is archived. No further changes may be made.

Forwarded to john@list.org

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gergely Madarasz <gorgo@sztaki.hu>:
Bug#64841; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Gergely Madarasz <gorgo@sztaki.hu>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: submit@bugs.debian.org
Subject: mailman security?
Date: Sun, 28 May 2000 22:37:54 -0700
Package: mailman
Version: 1.1-5
Severity: critical

According to one of the authors of mailman, at
http://developer.earthweb.com/journal/techfocus/052600_security.html,

"For three years, until March 2000, Mailman
had a handful of glaring security problems in code that I
wrote before I knew much about security. An attacker could
use these security holes to gain access to the operating
system on Linux computers running the program."

"These were not obscure bugs: anyone armed with the Unix
command grep and an iota of security knowledge could have
found them in seconds."

"If you're running a Mailman
version earlier than 2.0 beta, allow me to suggest that you
upgrade immediately."

Needless to say, we have an earlier version. The NEWS file for mailman 2.0
beta doesn't say much about these issues, but does say something vague about
a security problem with external archivers being fixed.

-- 
see shy jo



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#64841; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Gergely Madarasz <gorgo@sztaki.hu>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 64841@bugs.debian.org (full text, mbox):

From: Gergely Madarasz <gorgo@sztaki.hu>
To: Joey Hess <joeyh@debian.org>, 64841@bugs.debian.org
Subject: Re: Bug#64841: mailman security?
Date: Mon, 29 May 2000 13:04:31 +0200 (MET DST)
On Sun, 28 May 2000, Joey Hess wrote:

> Package: mailman
> Version: 1.1-5
> Severity: critical
> 
> According to one of the authors of mailman, at
> http://developer.earthweb.com/journal/techfocus/052600_security.html,
> 
> "For three years, until March 2000, Mailman
> had a handful of glaring security problems in code that I
> wrote before I knew much about security. An attacker could
> use these security holes to gain access to the operating
> system on Linux computers running the program."
> 
> "These were not obscure bugs: anyone armed with the Unix
> command grep and an iota of security knowledge could have
> found them in seconds."
> 
> "If you're running a Mailman
> version earlier than 2.0 beta, allow me to suggest that you
> upgrade immediately."
> 
> Needless to say, we have an earlier version. The NEWS file for mailman 2.0
> beta doesn't say much about these issues, but does say something vague about
> a security problem with external archivers being fixed.

I don't have time now to search for these problems and backport them to
1.1 :( Including 2.0beta this late in the freeze is in my opinion not
possible, there are too many changes in it... and I won't have time to
package it for another week or two... :(

-- 
Madarasz Gergely           gorgo@sztaki.hu           gorgo@linux.rulez.org
     It's practically impossible to look at a penguin and feel angry.
         Egy pingvinre gyakorlatilag lehetetlen haragosan nezni.
                   HuLUG: http://mlf.linux.rulez.org/




Reply sent to Gergely Madarasz <gorgo@sztaki.hu>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #13 received at 64841-forwarded@bugs.debian.org (full text, mbox):

From: Gergely Madarasz <gorgo@sztaki.hu>
To: john@list.org
Cc: Joey Hess <joeyh@debian.org>, 64841-forwarded@bugs.debian.org
Subject: Re: Bug#64841: mailman security?
Date: Mon, 29 May 2000 13:25:38 +0200 (MET DST)
Hello John,

Could you please explain a bit more thoroughly what kind of problems are
there in mailman 1.1 ? The soon to be released debian potato contains
mailman 1.1, and upgrading to 2.0beta this late in the freeze is not
possible. So it would be nice if we could backport the changes to 1.1 (the
other option is to remove mailman entirely from debian potato :( )

On Sun, 28 May 2000, Joey Hess wrote:

> Package: mailman
> Version: 1.1-5
> Severity: critical
> 
> According to one of the authors of mailman, at
> http://developer.earthweb.com/journal/techfocus/052600_security.html,
> 
> "For three years, until March 2000, Mailman
> had a handful of glaring security problems in code that I
> wrote before I knew much about security. An attacker could
> use these security holes to gain access to the operating
> system on Linux computers running the program."
> 
> "These were not obscure bugs: anyone armed with the Unix
> command grep and an iota of security knowledge could have
> found them in seconds."
> 
> "If you're running a Mailman
> version earlier than 2.0 beta, allow me to suggest that you
> upgrade immediately."
> 
> Needless to say, we have an earlier version. The NEWS file for mailman 2.0
> beta doesn't say much about these issues, but does say something vague about
> a security problem with external archivers being fixed.
> 
> 

-- 
Madarasz Gergely           gorgo@sztaki.hu           gorgo@linux.rulez.org
     It's practically impossible to look at a penguin and feel angry.
         Egy pingvinre gyakorlatilag lehetetlen haragosan nezni.
                   HuLUG: http://mlf.linux.rulez.org/




Reply sent to Gergely Madarasz <gorgo@sztaki.hu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #18 received at 64841-close@bugs.debian.org (full text, mbox):

From: Gergely Madarasz <gorgo@sztaki.hu>
To: 64841-close@bugs.debian.org
Subject: Bug#64841: fixed in mailman 1.1-6
Date: Mon, 29 May 2000 12:32:59 -0400
We believe that the bug you reported is fixed in the latest version of
mailman, which has been installed in the Debian FTP archive:
mailman_1.1-6.dsc
  to dists/potato/main/source/mail/mailman_1.1-6.dsc
  replacing mailman_1.1-5.dsc
mailman_1.1-6.dsc
  to dists/woody/main/source/mail/mailman_1.1-6.dsc
  replacing mailman_1.1-5.dsc
mailman_1.1-6_i386.deb
  to dists/potato/main/binary-i386/mail/mailman_1.1-6.deb
  replacing mailman_1.1-5.deb
mailman_1.1-6_i386.deb
  to dists/woody/main/binary-i386/mail/mailman_1.1-6.deb
  replacing mailman_1.1-5.deb
mailman_1.1-6.diff.gz
  to dists/potato/main/source/mail/mailman_1.1-6.diff.gz
  replacing mailman_1.1-5.diff.gz
mailman_1.1-6.diff.gz
  to dists/woody/main/source/mail/mailman_1.1-6.diff.gz
  replacing mailman_1.1-5.diff.gz

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 64841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gergely Madarasz <gorgo@sztaki.hu> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Mon, 29 May 2000 15:15:15 +0200
Source: mailman
Binary: mailman
Architecture: source i386
Version: 1.1-6
Distribution: frozen unstable
Urgency: high
Maintainer: Gergely Madarasz <gorgo@sztaki.hu>
Description: 
 mailman    - Powerful, web based list processor
Closes: 63427 64841
Changes: 
 mailman (1.1-6) frozen unstable; urgency=high
 .
   * Fix archiver security problem (Closes: #64841)
   * Fix upgrade message (Closes: #63427)
   * Fix email address in README.Debian
Files: 
 e551eb16ca8da331b8a2d6ae174533d5 564 web optional mailman_1.1-6.dsc
 c5b3c31dd8938ec04d547a14c2a69669 18363 web optional mailman_1.1-6.diff.gz
 56d7a6cf2c8312f7dc9e16c74e7630fd 327970 web optional mailman_1.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5MnIXQTcjZloBK0YRAoTMAJ9ueoeheKVY1hDg1rkfRhkqovxxsACfVyd9
iuW5/tKsktgpmuKFkUIRjj0=
=CK/H
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 08:10:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.