Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Apr 2015 23:32:55 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Mark Sapiro <mark@...piro.net>, mailman-security@...hon.org,
        "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Limited DoS in mailman (requires non standard config)

CentOS 6.6 with mailman-2.1.12-18.el6.x86_64

Which is.. ergh. I did not realize how old this is.

On 04/28/2015 11:50 AM, Mark Sapiro wrote:
> On 04/28/2015 10:04 AM, Kurt Seifried wrote:
>> So I recently ran into a flaw in mailman where I had imported a text
>> list of email addresses of people that wanted to sign up. It turns out
>> one of the addresses was in the form "user@...ain.tld/random", not sure
>> how that snuck in but anyways. When sending email to this list it fails
>> due to that address being present:
> 
> 
> What Mailman version is this?
> 
> I don't think any recent version would add that address to a list
> regardless of how it was attempted to be added.
> 
> 
>> from mailman posts log:
>>
>> Apr 28 16:46:23 2015 (29704) post to testing from testing-request@...,
>> size=1786, message-id=<mailman.0.1430239582.16535.testing@...>, 1 failures
>>
>> from smtp-failure log:
>>
>> smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused:
>> {'kurt@...fried.org/foo': (501, '5.1.3 Bad recipient address syntax')},
>> msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@...>
> 
> 
> And I think the only address refused was the one kurt@...fried.org/foo
> address. The 'All recipients refused:' refers to all recipients in that
> SMTP transaction, not necessarily every list member.
> 
> What does your MTA log say about this delivery? And what does Mailman's
> 'smtp' log say?
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ