[jdev] Administrivia: Mailman Vulnerability

[Peter Saint-Andre]

Luis Peralta has pointed me to the following Mailman vulnerability:

http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html

The Mailman installation at jabber.org has been patched to address this
issue. After a review of the Apache logs for the mail.jabber.org domain,
we have determined that the jdev at jabber.org list is the only list hosted
by jabber.org/jabberstudio.org that was possibly attacked using this
exploit. As a precaution, I have changed the list's administrative 
password and have checked all the relevant list configuration settings
(they do not appear to have been modified). In addition, a spot check by
about half a dozen subscribers indicates that no subscriber passwords 
were modified. However, as a precaution, you may want to visit the 
following URL and have Mailman send you a password reminder, then log in
and change your password:

http://mail.jabber.org/mailman/listinfo/jdev/

If the password reminder sent to you looks unfamiliar or you are not
able to log in, please let me know ASAP.

Let me reiterate that only the JDEV list was possibly affected, and that
so far it appears no subscriber information was compromised. Also, this
issue is totally unrelated to the recent discovery of a rootkit on the
hades.jabber.org machine, since our Mailman installation is deployed on
a separate server (atlas.jabber.org).

As always, feel free to contact me directly if you have any questions or
concerns.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml