oss-sec mailing list archives
Re: Limited DoS in mailman (requires non standard config)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 28 Apr 2015 23:32:55 -0600
CentOS 6.6 with mailman-2.1.12-18.el6.x86_64 Which is.. ergh. I did not realize how old this is. On 04/28/2015 11:50 AM, Mark Sapiro wrote:
On 04/28/2015 10:04 AM, Kurt Seifried wrote:So I recently ran into a flaw in mailman where I had imported a text list of email addresses of people that wanted to sign up. It turns out one of the addresses was in the form "user () domain tld/random", not sure how that snuck in but anyways. When sending email to this list it fails due to that address being present:What Mailman version is this? I don't think any recent version would add that address to a list regardless of how it was attempted to be added.from mailman posts log: Apr 28 16:46:23 2015 (29704) post to testing from testing-request@XXX, size=1786, message-id=<mailman.0.1430239582.16535.testing@XXX>, 1 failures from smtp-failure log: smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused: {'kurt () seifried org/foo': (501, '5.1.3 Bad recipient address syntax')}, msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@YYY>And I think the only address refused was the one kurt () seifried org/foo address. The 'All recipients refused:' refers to all recipients in that SMTP transaction, not necessarily every list member. What does your MTA log say about this delivery? And what does Mailman's 'smtp' log say?
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)