[jdev] Re: Administrivia: Mailman Vulnerability

[Peter Saint-Andre]

It turns out that the access to JDEV via this vulnerability was
"friendly fire" -- someone who tested the web interface to determine 
if the jabber.org Mailman deployment had been patched yet. So that's why
nothing was compromised, and there is thus no reason to change your list
password.

Peter

On Thu, Feb 10, 2005 at 11:25:40AM -0600, Peter Saint-Andre wrote:
> Luis Peralta has pointed me to the following Mailman vulnerability:
> 
> http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
> 
> The Mailman installation at jabber.org has been patched to address this
> issue. After a review of the Apache logs for the mail.jabber.org domain,
> we have determined that the jdev at jabber.org list is the only list hosted
> by jabber.org/jabberstudio.org that was possibly attacked using this
> exploit. As a precaution, I have changed the list's administrative 
> password and have checked all the relevant list configuration settings
> (they do not appear to have been modified). In addition, a spot check by
> about half a dozen subscribers indicates that no subscriber passwords 
> were modified. However, as a precaution, you may want to visit the 
> following URL and have Mailman send you a password reminder, then log in
> and change your password:
> 
> http://mail.jabber.org/mailman/listinfo/jdev/
> 
> If the password reminder sent to you looks unfamiliar or you are not
> able to log in, please let me know ASAP.
> 
> Let me reiterate that only the JDEV list was possibly affected, and that
> so far it appears no subscriber information was compromised. Also, this
> issue is totally unrelated to the recent discovery of a rootkit on the
> hades.jabber.org machine, since our Mailman installation is deployed on
> a separate server (atlas.jabber.org).
> 
> As always, feel free to contact me directly if you have any questions or
> concerns.
> 
> Peter
>