Bugtraq mailing list archives
[Fwd: Security advisory for Endymion MailMan]
From: Ely Pinto <epinto () NEWSDIGITAL COM>
Date: Tue, 12 Dec 2000 10:22:15 -0500
-------- Original Message -------- Subject: Security advisory for Endymion MailMan Date: Mon, 11 Dec 2000 16:03:03 -0500 From: Endymion Technical Support <support () endymion com> To: (Recipient list suppressed) We apologize if you are receiving this announcement more than once. We are attempting to notify every possible affected user, and your name was in a list of users that requested to be notified of important events relating to Endymion MailMan, a web-based email application. We have already attempted to notify as many MailMan customers as possible in a more private announcement, but it is apparent that we needed to send a broader announcement because we have evidence that we missed some of our customers in our previous announcement. Secure Reality, a Sydney, Australia based IT Security Company, has informed us of a security problem in Endymion MailMan. The problem affects all versions of MailMan beyond 3.0, up to version 3.0.25. Details on the problem are available from Secure Reality, at the URL http://www.securereality.com.au/sradv00005.html We have released a revision of MailMan that prevents this intrusion, as version 3.0.26. We strongly urge all MailMan installations to upgrade to at least version 3.0.26 in order to protect against intrusion using this exploit. We have closely examined MailMan for other potential security flaws related to this issue and we believe that version 3.0.26 prevents the problem reported by Secure Reality, as well as any other similar issue. We have been avoiding a totally public announcement until we can notify as many of our legitimate customers as possible, to protect as many of our customers' sites as possible. If you are running a MailMan installation at your site then we urge you to update to a new revision as soon as possible. Please don't delay on performing the update, we want to keep the window of opportunity for exploiting this problem as narrow as possible. As a temporary measure to assist our legitimate customers in updating to a safe version, we have placed updates online at the location http://endymion.com/products/mailman/update/ This location is not password-protected, for your convenience. We think that this is a serious enough issue to allow open access to these updates. If you are not already a legitimate MailMan licensee, this does NOT entitle you to a valid license. This problem is simply serious enough that we are attempting to assist our legitimate users in installing the update, please do not take advantage of our hardship to steal our product if you are not a legitimate licensee. We will revert to the password-protected release directory system as soon as we are confident that the majority of our customers have updated their installations. If you have not updated by December 15, 2000, then you will probably need to use your username and password, sent with your original invoice, to access the revision. In order to update your installation, simply install the new script file from the distribution. You will need to copy any configuration items from the configuration section at the top of the script to your new installation. No template changes should be necessary. Please contact Endymion technical support at support () endymion com if you have any problems with your update. Lastly, we apologize to our user base for this problem. It was obviously a completely unexpected problem that neither we nor our user base has uncovered in over four years of poring over the MailMan source code. We consider ourselves lucky to have benefited from the services of Secure Reality. The following is information about the security firm that originally discovered the problem: Secure Reality (SR) Pty Ltd (http://www.securereality.com.au - ACN 092 728 642) is a Sydney, Australia based IT Security Company. SR is primarily involved in: - Security consulting and management - Security research - Security training and seminars SR's mission is to provide broad security solutions to its clients, not just implementing security software and hardware but actively identifying and neutralizing threats where possible. The issue corrected in this announcement was found as part of a proactive popular software audit conducted as a service to the IT community at large. Ryan Alyn Porter, President Endymion Corporation http://www.endymion.com
Current thread:
- [Fwd: Security advisory for Endymion MailMan] Ely Pinto (Dec 13)