[Fwd: Security advisory for Endymion MailMan]

[Ely Pinto <epinto () NEWSDIGITAL COM>]

-------- Original Message --------
Subject: Security advisory for Endymion MailMan
Date: Mon, 11 Dec 2000 16:03:03 -0500
From: Endymion Technical Support <support () endymion com>
To: (Recipient list suppressed)

We apologize if you are receiving this announcement more than once.  We
are
attempting to notify every possible affected user, and your name was in
a
list of users that requested to be notified of important events relating
to
Endymion MailMan, a web-based email application.  We have already
attempted
to notify as many MailMan customers as possible in a more private
announcement, but it is apparent that we needed to send a broader
announcement because we have evidence that we missed some of our
customers
in our previous announcement.

Secure Reality, a Sydney, Australia based IT Security Company, has
informed
us of a security problem in Endymion MailMan.  The problem affects all
versions of MailMan beyond 3.0, up to version 3.0.25.  Details on the
problem are available from Secure Reality, at the URL
http://www.securereality.com.au/sradv00005.html

We have released a revision of MailMan that prevents this intrusion, as
version 3.0.26.  We strongly urge all MailMan installations to upgrade
to
at least version 3.0.26 in order to protect against intrusion using this
exploit.  We have closely examined MailMan for other potential security
flaws related to this issue and we believe that version 3.0.26 prevents
the
problem reported by Secure Reality, as well as any other similar issue.

We have been avoiding a totally public announcement until we can notify
as
many of our legitimate customers as possible, to protect as many of our
customers' sites as possible.  If you are running a MailMan installation
at
your site then we urge you to update to a new revision as soon as
possible.  Please don't delay on performing the update, we want to keep
the
window of opportunity for exploiting this problem as narrow as possible.

As a temporary measure to assist our legitimate customers in updating to
a
safe version, we have placed updates online at the location
http://endymion.com/products/mailman/update/ This location is not
password-protected, for your convenience.  We think that this is a
serious
enough issue to allow open access to these updates.  If you are not
already
a legitimate MailMan licensee, this does NOT entitle you to a valid
license.  This problem is simply serious enough that we are attempting
to
assist our legitimate users in installing the update, please do not take
advantage of our hardship to steal our product if you are not a
legitimate
licensee.  We will revert to the password-protected release directory
system as soon as we are confident that the majority of our customers
have
updated their installations.  If you have not updated by December 15,
2000,
then you will probably need to use your username and password, sent with
your original invoice, to access the revision.

In order to update your installation, simply install the new script file
from the distribution.  You will need to copy any configuration items
from
the configuration section at the top of the script to your new
installation.  No template changes should be necessary.  Please contact
Endymion technical support at support () endymion com if you have any
problems
with your update.

Lastly, we apologize to our user base for this problem.  It was
obviously a
completely unexpected problem that neither we nor our user base has
uncovered in over four years of poring over the MailMan source code.  We
consider ourselves lucky to have benefited from the services of Secure
Reality.

The following is information about the security firm that originally
discovered the problem:

Secure Reality (SR) Pty Ltd (http://www.securereality.com.au - ACN 092
728
642) is a Sydney, Australia based IT Security Company. SR is primarily
involved in:
   - Security consulting and management
   - Security research
   - Security training and seminars
SR's mission is to provide broad security solutions to its clients, not
just implementing security software and hardware but actively
identifying
and neutralizing threats where possible. The issue corrected in this
announcement was found as part of a proactive popular software audit
conducted as a service to the IT community at large.

Ryan Alyn Porter, President
Endymion Corporation
http://www.endymion.com