A path traversal vulnerability has been discovered and fixed in Mailman 2.1.20. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed. The patch to Mailman/Utils.py at <https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4358114/+files/p> can be applied with at most a line number offset to any Mailman 2.1.x version, but the referenced mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS setting didn't exist before Mailman 2.1.11 so if you are patching an older version, you need to add: ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' to mm_cfg.py and/or Defaults.py.
Created mailman tracking bugs for this issue: Affects: fedora-all [bug 1208060]
More detailed description from https://bugs.launchpad.net/mailman/+bug/1437145 : "The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix. The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../<email address hidden>), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack. The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, but this check is also vulnerable to the path traversal attack."
Upstream bug: https://bugs.launchpad.net/mailman/+bug/1437145
mailman-2.1.20-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Statement: (none)
mailman-2.1.20-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1153 https://rhn.redhat.com/errata/RHSA-2015-1153.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1417 https://rhn.redhat.com/errata/RHSA-2015-1417.html