Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Mailman Vendors:   GNU [multiple authors]
Mailman Discloses Subscriber Passwords to Remote Users
SecurityTracker Alert ID:  1010283
SecurityTracker URL:
CVE Reference:   CVE-2004-0412   (Links to External Site)
Date:  May 25 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.1.x prior to 2.1.5
Description:   A vulnerability was reported in Mailman. A remote user may be able to obtain the password of another user.

The vendor reported that a remote user can send a specially crafted e-mail request to the mailman server to retrive the mailman password of a target mailman subscriber.

Impact:   A remote user may be able to retrieve the password of a target mailman subscriber.
Solution:   The vendor has released a fixed version (2.1.5), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 25 2004 (Conectiva Issues Fix) Mailman Discloses Subscriber Passwords to Remote Users
Conectiva has released a fix.
May 27 2004 (Mandrake Issues Fix) Mailman Discloses Subscriber Passwords to Remote Users
Mandrake has released a fix.
Jun 9 2004 (Gentoo Issues Fix) Mailman Discloses Subscriber Passwords to Remote Users
Gentoo has issued a fix.

 Source Message Contents

Subject:  [Mailman-Announce] RELEASED Mailman 2.1.5

Today I am releasing Mailman 2.1.5, a bug fix release that also contains
new support for the Turkish language, and a few minor new features.
Mailman 2.1.5 is a significant upgrade which should improve disk i/o
performance, administrative overhead for discarding held spams, and the
behavior of bouncing member disables.  This version also contains a fix
for an exploit that could allow 3rd parties to retrieve member
passwords.  It is thus highly recommended that all existing sites
upgrade to the latest version.

The full source tarball, as well as a patch against Mailman 2.1.4 have
been made available.  See

for links to downloads.

NOTE: You will want to read the UPGRADING file for important information
regarding upgrading from earlier version to Mailman 2.1.5.  A number of
internal file formats have changed so you must shut down web and mail
access to Mailman before you upgrade.  You will also want to re-run
configure (i.e. config.status) before you run "make install".

See also:

Finally, a personal note.  I have left Zope Corporation to join Secure
Software, a company started by John Viega -- Mailman's original author.
Although I won't be working on Mailman in any official capacity, it is
exciting to be working with him and the rest of the folks there.  I
leave Zope Corp on a positive note and wish nothing but success for them

You can find Secure Software on the web at  Please continue to use my
barry at email address for all Mailman correspondences.  I don't
expect much to change for the Mailman project at all.


2.1.5 (15-May-2004)

     - The admindb page has a checkbox that allows you to discard all held
       messages that are marked Defer.  On heavy lists with lots of spam holds,
       this makes clearing them much faster.

     - The qrunner system has changed to use only one file per message.
       However the configuration variable METADATA_FORMAT has been removed, and
       support for SAVE_MSGS_AS_PICKLES has been changed.  The latter no longer
       writes messages as plain text.  Instead, they are stored as pickles of
       plain strings, using the text pickle format.  This still makes them
       non-binary files readable and editable by humans.

       bin/dumpdb also works differently.  It will print out the entire pickle
       file (with more verbosity) and if used with 'python -i', it binds msg to
       a list of all objects found in the pickle file.

       Removed from PENDINGDB_LOCK_TIMEOUT,

     - The bounce processor has been redesigned so that now when an address's
       bounce score reaches the threshold, that address will be sent a probe
       message.  Only if the probe bounces will the address be disabled.  The
       score is reset to zero when the probe is sent.  Also, bounce events are
       now kept in an event file instead of in memory.  This should help
       contain the bloat of the BounceRunner.

       New supporting variables in VERP_PROBE_FORMAT,

       REGISTER_BOUNCES_EVERY is promoted to a variable.

     - The pending database has been changed from a global pickle file, to a
       unique pickle file per mailing list.

     - The 'request' database file has changed from a marshal, to the more
       secure pickle format.

     - Disallow multiple password retrievals.

     - The email package is updated to version 2.5.5.

     - New language: Turkish.

     - Bugs and patches: 869644, 869647 (NotAMemberError for old cookie data),
       878087 (bug in Slovenian catalog), 899263 (ignore duplicate pending
       ids), 810675 (discard all defers button)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC