[Centos] full-d] Administrivia: List Compromised due to Mailman Vulnerability (fwd)

Wed Feb 9 20:11:55 UTC 2005
Johnny Hughes <mailing-lists at hughesjr.com>

On Wed, 2005-02-09 at 14:53 -0500, seth vidal wrote:
> On Wed, 2005-02-09 at 14:41 -0500, R P Herrold wrote:
> > Sorry for the cross post, but this is an important one 
> > potentially affecting all recipients.
> > 
> > This just crossed the Full Disclosure mailman moderated 
> > mailing list.  It bears a careful read, and thought about 
> > whether a response is needed.
> > 
> > The implication is that if there is any use of a mailman 
> > password in common with a password you 'care' about, you need 
> > to take appropriate action at once.  Also some backends merge 
> > Bugzilla and mailman password stores, which can cause 
> > unexpected secondary effects.
> > 
> > I have not seen a patch yet, and so one has to assume that the 
> > configs and passwords for all mailman moderated mailing lists 
> > are compromised.  Once a fix issues, Mailman moderators will 
> > want to do a global password change, and local list 
> > modification.
> > 
> 
> the patch to mailman came out weeks ago unless this is a new password
> exposure bug.
> 
> -sv

I think you are thinking about this one:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412

but if that number is right (CAN-2005-0202) ... then this is brand new
(it isn't even published yet):
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202

-- 
Johnny Hughes
<http://www.HughesJR.com/>