[clue-admin] Mailman patch.
Jeff Cann
j.cann at isuma.org
Sat Feb 26 16:38:47 MST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 26 February 2005 11:04 am, David Anselmi wrote:
> Has the CLUE server been patched for CAN-2005-0202? When?
>
> http://www.list.org/security.html
>
> It might be useful to warn our subscribers that their passwords were at
> risk until then.
FWIW -
"The extent of your exposure to this vulnerability depends on factors such as
which version of Apache you are running and how you have it configured. We do
not currently know the exact combination that enables the hole, although we
currently believe that Apache 2.0 sites are not vulnerable and that that many
if not most Apache 1.3 sites are vulnerable."
+ http://www.list.org/security.html
I suppose we could warn the users, but I think resetting all of the passwords
is a waste of time for three reasons:
1. We are on apache 2.0.
2. Users do not use SSL to admin their passwords in the mailman web forms, so
this is a vulnerability which we have talked about in the past.
3. Emailing new passwords is also insecure because the new passwords are sent
w/o encryption.
In any event, I applied the patch 5 minutes ago.
Thanks for paying attention, Dave.
Jeff
- --
"Science can purify religion from error and superstition. Religion can purify
science from idolatry and false absolutes."
- - Pope John Paul II
http://isuma.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFCIQiHi4b9OApLCmoRAgtDAJ4zuPy2iJUJVQSpUfu20HCn1wWwHQCdHIgl
RlILnq5diRQl3BTE5lLHQkI=
=9CYA
-----END PGP SIGNATURE-----
More information about the clue-admin
mailing list