Common Vulnerabilities and Exposures assigned an identifier CVE-2002-0389 to the following vulnerability: Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389 [2] http://marc.theaimsgroup.com/?l=bugtraq&m=101902003314968&w=2 [3] http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103 [4] http://www.iss.net/security_center/static/8874.php [5] http://www.securityfocus.com/bid/4538 Further references: [6] https://bugzilla.novell.com/show_bug.cgi?id=418589 [7] https://bugzilla.redhat.com/show_bug.cgi?id=459530 Proposed upstream solution: [8] http://www.list.org/mailman-install/node9.html (in the Warning part)
Exact form of the upstream solution proposal (from [8]): ======================================================== Warning: If you're running Mailman on a shared multiuser system, and you have mailing lists with private archives, you may want to hide the private archive directory from other users on your system. In that case, you should drop the other execute permission (o-x) from the archives/private directory. However, the web server process must be able to follow the symbolic link in public directory, otherwise your public Pipermail archives will not work. To set this up, become root and run the following commands: # cd <prefix>/archives # chown <web-server-user> private # chmod o-x private You need to know what user your web server runs as. It may be www, apache, httpd or nobody, depending on your server's configuration.
This issue affects the versions of the mailman package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue does NOT affect the versions of the mailman package, as shipped with Fedora release of 14 and 15. It has been corrected in mailman-2.1.13-4.fc14 already. Relevant Changelog entry: * Tue Jul 13 2010 Jan Kaluza <jkaluza> 3:2.1.13-4 - #459530 - fix permissions of archives/private directory
Created attachment 514052 [details] Relevant mailman-2.1.13-3 and mailman-2.1.13-4 SPEC file difference Implements the changes, suggested to be performed post mailman installation (steps described in that Warning)
Statement: (none)
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1417 https://rhn.redhat.com/errata/RHSA-2015-1417.html