© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Our version of mailman is 2.1.5, the current release version,
along with customizations made at UW by my predecessor
for use with our web pubcookie authentication system.
However, the fault occurs in unmodified Mailman code, and
he insists that nothing he did would affect this.
I call it a security issue because anyone can send a
message to a mailman mailing list that will cause digests to
fail and be stuck, just by using a bogus character set name
in an attachment filename. Not only isn't the message in
question sent, but all subsequent messages are also held
because of the trap.
A denial of service problem *is* a security problem.
I don't know how extensive the problem is in Mailman, but I
see numerous unicode() calls in the Mailman source that
have no protection from error traps. So maybe more than
just digests are affected.
If you can't reproduce the problem, I'll be happy to provide
some of the messages which hung our digests. The problem
definitely happens with charset names in encoded-
parameters in MIME (attachment filenames).
Thank you in advance for your rapid attention.