From bfriesen at simple.dallas.tx.us  Tue Aug  7 17:38:24 2007
From: bfriesen at simple.dallas.tx.us (Bob Friesenhahn)
Date: Tue, 7 Aug 2007 12:38:24 -0500 (CDT)
Subject: [Png-mng-security] png-mng-security list compromised
Message-ID: <Pine.SOC.4.60.0708071221320.922@blade.simplesystems.org>

It seems that someone we trusted posted a URL to the png-mng-security 
archives on a public Debian mailing list.  This resulted in immediate 
compromise of the list.  Today we received our first spam message to 
the list.

Unless someone cracks the system (or Mailman), they can not add 
themselves to the list.  However, once someone knows the location of 
the list they can persuse the list archives and can mirror them daily 
to recieve up to date information.

There is a choice to be made.  We can eliminate or rename the list, or 
we can trust that the list itself won't be compromised and disable the 
archiving feature so that it is not possible for someone to retrieve 
the archives.  If the archives are disabled, then archiving needs to 
be done via our own mailboxes.

For the moment I have set the archive to "private" which presumably 
requires entering a mailman list password in order to be redirected to 
publically readable web pages.  The URL of the publically readable web 
pages seems to be altered somewhat using an insecure method (adds 
"private" to the URL path).

The decision regarding what to do needs to be made ASAP so that there 
can be a secure list in place when the next inevitable compromise 
occurs.

Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/



From jbowler at acm.org  Tue Aug  7 17:40:01 2007
From: jbowler at acm.org (John Bowler)
Date: Tue, 7 Aug 2007 10:40:01 -0700
Subject: [Png-mng-security] png-mng-security list compromised
In-Reply-To: <Pine.SOC.4.60.0708071221320.922@blade.simplesystems.org>
Message-ID: <000b01c7d91a$0b045980$1201a8c0@caisteal>

From: Bob Friesenhahn
>If the archives are disabled, then archiving needs to 
>be done via our own mailboxes.

I do this for all mailing lists I am subscribed too.  So far as I can
see archives are primarily useful to people *not* subscribed to a list,
so in this case I suggest the message archives should either not exist
or not be available to anyone lacking some appropriately secure
password.

I seems to me that knowledge of existence of the list, where it is and
what it is called, should not, itself, be a security issue.  Posting to
the list is, I assume, only possible for people subscribed to it (not
that this prevents more directed spam, since many of our email addresses
are well known and can easily be forged.)

John Bowler <jbowler at acm.org>




From bfriesen at simple.dallas.tx.us  Tue Aug  7 18:15:16 2007
From: bfriesen at simple.dallas.tx.us (Bob Friesenhahn)
Date: Tue, 7 Aug 2007 13:15:16 -0500 (CDT)
Subject: [Png-mng-security] png-mng-security list compromised
In-Reply-To: <000b01c7d91a$0b045980$1201a8c0@caisteal>
References: <000b01c7d91a$0b045980$1201a8c0@caisteal>
Message-ID: <Pine.SOC.4.60.0708071308310.922@blade.simplesystems.org>

On Tue, 7 Aug 2007, John Bowler wrote:

> From: Bob Friesenhahn
>> If the archives are disabled, then archiving needs to
>> be done via our own mailboxes.
>
> I do this for all mailing lists I am subscribed too.  So far as I can
> see archives are primarily useful to people *not* subscribed to a list,
> so in this case I suggest the message archives should either not exist
> or not be available to anyone lacking some appropriately secure
> password.

Disabling and removing the archives is easy to do.

> I seems to me that knowledge of existence of the list, where it is and
> what it is called, should not, itself, be a security issue.  Posting to
> the list is, I assume, only possible for people subscribed to it (not
> that this prevents more directed spam, since many of our email addresses
> are well known and can easily be forged.)

The list is hosted on a system which has been running without (known) 
compromise for many years.  Most services are disabled on it.  OS 
security patches are recent.  There is a daily versioned backup of the 
mailing list server files.

If we must continually change the mailing list name in order to keep 
it private, then the word may not get out in time (or to the right 
people) when there is a serious compromise.

Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/



From tgl at sss.pgh.pa.us  Wed Aug  8 06:11:21 2007
From: tgl at sss.pgh.pa.us (Tom Lane)
Date: Wed, 08 Aug 2007 02:11:21 -0400
Subject: [Png-mng-security] png-mng-security list compromised
In-Reply-To: <Pine.SOC.4.60.0708071221320.922@blade.simplesystems.org> 
References: <Pine.SOC.4.60.0708071221320.922@blade.simplesystems.org>
Message-ID: <22943.1186553481@sss.pgh.pa.us>

Bob Friesenhahn <bfriesen at simple.dallas.tx.us> writes:
> There is a choice to be made.  We can eliminate or rename the list, or 
> we can trust that the list itself won't be compromised and disable the 
> archiving feature so that it is not possible for someone to retrieve 
> the archives.

Most of the sensitive lists that I deal with require a subscriber's
password to access the archives.  Can't we set it up like that?

If not, my vote is just to remove the archives ... they're certainly
not essential.

Frequent renamings of the list are right out.  If you are concerned that
the present exposure of the list's existence might lead to more spam
load than you can handle, then I can deal with a one-time renaming, but
doing it regularly is no good.

			regards, tom lane


From bfriesen at simple.dallas.tx.us  Wed Aug  8 14:51:10 2007
From: bfriesen at simple.dallas.tx.us (Bob Friesenhahn)
Date: Wed, 8 Aug 2007 09:51:10 -0500 (CDT)
Subject: [Png-mng-security] png-mng-security list compromised
In-Reply-To: <22943.1186553481@sss.pgh.pa.us>
References: <Pine.SOC.4.60.0708071221320.922@blade.simplesystems.org>
	<22943.1186553481@sss.pgh.pa.us>
Message-ID: <Pine.SOC.4.60.0708080947050.922@blade.simplesystems.org>

On Wed, 8 Aug 2007, Tom Lane wrote:

> Bob Friesenhahn <bfriesen at simple.dallas.tx.us> writes:
>> There is a choice to be made.  We can eliminate or rename the list, or
>> we can trust that the list itself won't be compromised and disable the
>> archiving feature so that it is not possible for someone to retrieve
>> the archives.
>
> Most of the sensitive lists that I deal with require a subscriber's
> password to access the archives.  Can't we set it up like that?

I think that if you attempt to access the archives now, you will be 
prompted for your list password in order to access the archives. 
However, the archives are not actually stored (by default) in a way 
which prevents access without a password.  The web server's 
authentication mechanism (rather than Mailman's) would be needed to 
block access to the archives.

> Frequent renamings of the list are right out.  If you are concerned that
> the present exposure of the list's existence might lead to more spam
> load than you can handle, then I can deal with a one-time renaming, but
> doing it regularly is no good.

SPAM is easily handled by having the list automatically dispose of 
non-subscriber emails.

Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/