[CAN-2004-1143] mailman: weak auto-generated passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mailman (Debian) |
Fix Released
|
Unknown
|
|||
mailman (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #286796 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Wed, 22 Dec 2004 10:53:01 +0100
From: Florian Weimer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-1143] mailman: weak auto-generated passwords
Package: mailman
Severity: grave
Tags: security
Justification: user security hole
Red Had has posted a private vendor-sec posting to a public mailing
list:
<http://
Short summary: Mailman only generates about 5 million different
passwords. This means that brute force attacks are possible.
The CVE Project assigned CAN-2004-1143 to this vulnerability.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (800, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-rc3fw
Locale: LANG=en_US.UTF-8, LC_CTYPE=
In Debian Bug tracker #286796, Florian Weimer (fw) wrote : Patch | #3 |
tag 286796 patch
thanks
Here's a patch. It's been tested on my Mailman installation and it
seems to work. If you release an advisory, you should point site
administrators to the new change_member_pw script which can be used to
reset passwords.
I've only applied the proposed change to the list templates in the
English and German versions. You might want to fix this before a
release.
There are two other minor vulnerabilities in Mailman 2.1. I'm trying
to notify Mailman developers in advance, but if this is not possible,
it would probably make sense to put at least one of the patches in the
same upload.
mailman (2.1.5-4.1) unstable; urgency=high
* Non-maintainer upload
* Fix CAN-2004-1143 (closes: #286796).
-- Florian Weimer <email address hidden> Wed, 22 Dec 2004 13:30:19 +0100
#! /bin/sh /usr/share/
## 40_can-
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix CAN-2004-1143: weak auto-generated passwords.
@DPATCH@
diff -urNad mailman-
--- mailman-
+++ /tmp/dpep.
@@ -0,0 +1,142 @@
+#! @PYTHON@
+#
+# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Portions Copyright (C) 2004 by Florian Weimer.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+"""Change the passwords of list members.
+
+This script resets all passwords of list members. This is helpful if
+the passwords have been compromised.
+
+Usage: change_pw [options]
+
+Options:
+
+ --all / -a
+ Change the password for all lists.
+
+ --domain=domain
+ -d domain
+ Change the password for all lists in the virtual domain `domain'. It
+ is okay to give multiple -d options.
+
+ --listname=listname
+ -l listname
+ Change the password only for the named list. It is okay to give
+ multiple -l options.
+
+ --help / -h
+ Print this help message and exit.
+"""
+
+import sys
+import sha
+import getopt
+
+import paths
+from Mailman import mm_cfg
+from Mailman import Utils
+from Mailman import MailList
+from Mailman import Errors
+from Mailman import Message
+from Mailman import i18n
+
+_ = i18n._
+
+SPACE = ' '
+
+
+
+def usage(code, msg=''):
+ if code:
+ fd = sys.stderr
+ else:
+ fd = sys.stdout
+ print >> fd, _(__d...
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 14:04:47 +0100
From: Florian Weimer <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Patch
tag 286796 patch
thanks
Here's a patch. It's been tested on my Mailman installation and it
seems to work. If you release an advisory, you should point site
administrators to the new change_member_pw script which can be used to
reset passwords.
I've only applied the proposed change to the list templates in the
English and German versions. You might want to fix this before a
release.
There are two other minor vulnerabilities in Mailman 2.1. I'm trying
to notify Mailman developers in advance, but if this is not possible,
it would probably make sense to put at least one of the patches in the
same upload.
mailman (2.1.5-4.1) unstable; urgency=high
* Non-maintainer upload
* Fix CAN-2004-1143 (closes: #286796).
-- Florian Weimer <email address hidden> Wed, 22 Dec 2004 13:30:19 +0100
#! /bin/sh /usr/share/
## 40_can-
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix CAN-2004-1143: weak auto-generated passwords.
@DPATCH@
diff -urNad mailman-
--- mailman-
+++ /tmp/dpep.
@@ -0,0 +1,142 @@
+#! @PYTHON@
+#
+# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Portions Copyright (C) 2004 by Florian Weimer.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+"""Change the passwords of list members.
+
+This script resets all passwords of list members. This is helpful if
+the passwords have been compromised.
+
+Usage: change_pw [options]
+
+Options:
+
+ --all / -a
+ Change the password for all lists.
+
+ --domain=domain
+ -d domain
+ Change the password for all lists in the virtual domain `domain'. It
+ is okay to give multiple -d options.
+
+ --listname=listname
+ -l listname
+ Change the password only for the named list. It is okay to give
+ multiple -l options.
+
+ --help / -h
+ Print this help message and exit.
+"""
+
+import sys
+import sha
+import getopt
+
+import paths
+from Mailman import mm_cfg
+from Mailman import Utils
+from Mailman import MailList
+from Mailman import Errors
+from Mailman import Me...
In Debian Bug tracker #286796, Roger Lynn (roger-rilynn) wrote : Re: Bug#286796: [CAN-2004-1143] mailman: weak auto-generated passwords | #5 |
Doesn't Mailman (in Debian at least) use pwgen for generating passwords?
Roger
In Debian Bug tracker #286796, Florian Weimer (fw) wrote : | #6 |
* Roger Lynn:
> Doesn't Mailman (in Debian at least) use pwgen for generating
> passwords?
No. There's a dependency on pwgen, sure, but I can't see were it is
used in the code.
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 15:05:40 +0000
From: Roger Lynn <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#286796: [CAN-2004-1143] mailman: weak auto-generated passwords
Doesn't Mailman (in Debian at least) use pwgen for generating passwords?
Roger
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 16:11:16 +0100
From: Florian Weimer <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286796: [CAN-2004-1143] mailman: weak auto-generated passwords
* Roger Lynn:
> Doesn't Mailman (in Debian at least) use pwgen for generating
> passwords?
No. There's a dependency on pwgen, sure, but I can't see were it is
used in the code.
Martin Pitt (pitti) wrote : | #9 |
Hi Matt!
I already discussed that with you and with Tollef. The required patch is huge
and not yet widely tested. Besides the introductory mail warns you that default
passwords only provide "mild" security and they are sent out in plaintext anyway.
So what do you think, should this be fixed in Warty right now? ATM I'm leaning
towards fixing it in Hoary/Sid ASAP and waiting a bit until the patch receives
some testing. Are you okay with that?
Matt Zimmerman (mdz) wrote : | #10 |
Yes, that sounds appropriate. Thanks.
In Debian Bug tracker #286796, Tollef Fog Heen (tfheen) wrote : Bug#286796: fixed in mailman 2.1.5-5 | #11 |
Source: mailman
Source-Version: 2.1.5-5
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:
mailman_
to pool/main/
mailman_2.1.5-5.dsc
to pool/main/
mailman_
to pool/main/
mailman_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tollef Fog Heen <email address hidden> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 280529 284771 285839 286796 287555
Changes:
mailman (2.1.5-5) unstable; urgency=high
.
* Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
appropriate CVS change from upstream. Thanks to Florian Weimer for
finding and producing a patch for this bug. (closes: #286796)
* Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
appropriate patch from upstream CVS. Thanks to Florian Weimer for
discovering and producing a patch for this bug. (closes: #287555)
* Handle the case of upgrading from Mailman 2.0 where we have
pending subscriptions. This should hopefully fix #280529. Thanks to
Bastian Kleinedam for the patch. (closes: #280529)
* Skip directories when updating templates, to make the life easier for
people who have their configuration in Subversion or Arch.
(closes: #284771)
* Remove 55_options_
fixed upstream and it causes other problems. (closes: #285839)
Files:
211e90f80573d9
f5f56f04747cd4
7c0131c39ae936
997fd482d1a92d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB55BlQSs
6oqxdXJcck5pDz8
=af3J
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Fri, 14 Jan 2005 04:47:08 -0500
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: Bug#286796: fixed in mailman 2.1.5-5
Source: mailman
Source-Version: 2.1.5-5
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:
mailman_
to pool/main/
mailman_2.1.5-5.dsc
to pool/main/
mailman_
to pool/main/
mailman_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tollef Fog Heen <email address hidden> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 280529 284771 285839 286796 287555
Changes:
mailman (2.1.5-5) unstable; urgency=high
.
* Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
appropriate CVS change from upstream. Thanks to Florian Weimer for
finding and producing a patch for this bug. (closes: #286796)
* Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
appropriate patch from upstream CVS. Thanks to Florian Weimer for
discovering and producing a patch for this bug. (closes: #287555)
* Handle the case of upgrading from Mailman 2.0 where we have
pending subscriptions. This should hopefully fix #280529. Thanks to
Bastian Kleinedam for the patch. (closes: #280529)
* Skip directories when updating templates, to make the life easier for
people who have their configuration in Subversion or Arch.
(closes: #284771)
* Remove 55_options_
fixed upstream and it causes other problems. (closes: #285839)
Files:
211e90f80573d9
f5f56f04747cd4
7c0131c39ae936
997fd482d1a92d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB55BlQSs
6oqxdXJcck5pDz8
=af3J
-----END PGP SIGNATURE-----
Matt Zimmerman (mdz) wrote : | #13 |
Looks like we should probably sync this into hoary?
Martin Pitt (pitti) wrote : | #14 |
(In reply to comment #8)
> Looks like we should probably sync this into hoary?
Done, so now only Warty is still affected. As agreed, I will delay the Warty fix
until the new password algorithm received some widespread testing.
Martin Pitt (pitti) wrote : | #15 |
Matt, Tollef,
The new algorithm is now public for a while and Tollef did not hear anything bad
about it. However, the question remains whether we shall make a Warty update
with the new algorithm?
Matt Zimmerman (mdz) wrote : | #16 |
Did we use an interim fix in Warty, or is it as yet unfixed?
Martin Pitt (pitti) wrote : | #17 |
(In reply to comment #11)
> Did we use an interim fix in Warty, or is it as yet unfixed?
There is no interim fix. There is only the old algorithm (in Warty) wich
generates only about 5 million different passwords, and the new algorithm
(sid/hoary) which is better.
Matt Zimmerman (mdz) wrote : | #18 |
are 5 million failed authentication attempts unlikely to be noticed? (does
mailman scream about them?)
Tollef Fog Heen (tfheen) wrote : | #19 |
Mailman doesn't tell you, no, but you should notice if you suddenly have 5M
requests to your
mailman page. (For a start, it would probably bump the size of your access.log
by some 500MB).
Martin Pitt (pitti) wrote : | #20 |
(In reply to comment #14)
> Mailman doesn't tell you, no, but you should notice if you suddenly have 5M
> requests to your
> mailman page.
Does that mean that mailman generates admindb requests for failed logins?
I'm inclined to ignore this issue for warty, what do you think?
Tollef Fog Heen (tfheen) wrote : | #21 |
Not apart from the apache logs, no. What I meant is if you suddenly have a large
amount of failed requests in your apache logs, you should notice.
I don't think this is an issue for warty; it's just a minor bug, IMHO. If you
agree,
please close the bug.
Martin Pitt (pitti) wrote : | #22 |
(In reply to comment #16)
> I don't think this is an issue for warty; it's just a minor bug, IMHO. If you
> agree, please close the bug.
Agreed. :-)
Changed in mailman: | |
status: | Unknown → Fix Released |
haunawnw (hakunahhus) wrote : | #23 |
Medical stores process prescriptions written by healthcare professionals, ensuring that patients receive the correct medications in the prescribed doses. They may offer various options for medication forms, such as tablets, capsules, liquids, or injections.
https:/
Automatically imported from Debian bug report #286796 http:// bugs.debian. org/286796