Re: Preparation of Debian GNU/Linux 2.2r4

To: debian-devel@lists.debian.org, Martin Schulze <joey@infodrom.north.de>
Subject: Re: Preparation of Debian GNU/Linux 2.2r4
From: Tollef Fog Heen <tollef@add.no>
Date: 23 Oct 2001 09:05:09 +0200
Message-id: <[🔎] 874roqg7kq.fsf@arabella.intern.opera.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20011013123223.X18353@finlandia.infodrom.north.de>
References: <20011013123223.X18353@finlandia.infodrom.north.de>

* Martin Schulze 

| mailman     stable    1.1-6       alpha, arm, i386, m68k, powerpc, sparc
| mailman     updates   1.1-8       alpha, arm, i386, m68k, powerpc, sparc
| 
| install mailman_1.1-7_i386.changes
| install mailman_1.1-8_i386.changes
| install mailman_1.1-8_m68k.changes
| install mailman_1.1-8_multi.changes
| 
| 	* Fix possible (but rare) security problem if site password was blank
| 	
| 	* Fix maintainer field
| 	* Completely fix previous security flaw
| 	* Fix dedent in Mailman/SecurityManager.py (closes: #107768)
| 
| 	DSA missing, it seems

It was deemed to small a problem to release a full advisory -- you
have to set a blank site password, (which is not the same as not setting
the site password).

>From the announcement (I've backported the fix): 

: I've just released Mailman 2.0.6 which fixes a potential security
: problem in Mailman 2.0.x, and includes a few other minor bug fixes.

: It is possible, although unlikely, that you could have an empty site
: password, or an empty list password.  Because of peculiarities in
: the Unix crypt() function, such empty passwords could allow
: unauthorized access to the list administrative pages with an
: arbitrary password string.  This situation does not occur normally,
: but it is possible to create it by accident (e.g. by touch'ing
: data/adm.pw).

: This patch ensures that such empty passwords do not allow
: unauthorized access, by first checking to make sure that the salt is
: at least 2 characters in length.  Alternatively, you can make sure
: that either data/adm.pw does not exist or that it is not empty.  For
: the extra paranoid, you'd need to be sure that none of your lists
: have empty passwords, but that's an even more difficult situation to
: create by accident.

: This patch guards against both situations.  Please note that Mailman
: 2.1alpha is not vulnerable to this problem because it does not use
: crypt().

Wichert didn't think a security advisory was needed, since it would
take some effort to shoot yourself in the foot.

It's kind of like having login getting bugs because it accepts blank
passwords. :)

| install inn2_2.2.2.2000.01.31-5_i386.changes
| install inn2_2.2.2.2000.01.31-5_m68k.changes
| install inn2_2.2.2.2000.01.31-5_source.changes
| install inn2_2.2.2.2000.01.31-5_sparc.changes
| install inn2_2.2.2.2000.01.31-5_alpha.changes
| 
| 	Security Update, DSA 023
| 
| 	Bdale reports a serious problem with this upload, it broke
| 	some functionality.  He's going to upload a fixed version, so
| 	this will have to wait for 2.2r4 then.  Fixed for 2.2.2.2000.01.31-5.
| 
| 	arm and powerpc missing

This one should probably have some of the fixes I've sent to Bdale as
well, which fixes some of the many race conditions in some of the
shell scripts.

-- 

Tollef Fog Heen
Axiom #1: You Can't Win

Reply to:

Prev by Date: Re: URGENT RESPONSE!
Next by Date: Re: Unstable X can't find font "fixed" dies immediately.
Previous by thread: Re: Preparation of Debian GNU/Linux 2.2r4
Next by thread: Bug#115480: ITP: Agenda VR tools -- sync and flash utilities for the Agenda
Index(es):
- Date
- Thread