COMMAND

	Local user have access to private mailing-lists archives

SYSTEMS AFFECTED

	All versions

PROBLEM

	H. Peter Anvin reported following :
	

	There is a vulnerability in Pipermail (mailing list  archiving  software
	distributed with and integrated with Mailman), that affects you  if  you
	have local users on the machine.
	

	If you have (a) private Mailman mailing lists and  (b)  user  logins  on
	the same machine, any local user can read the archives of those  private
	mailing lists.
	

	 Bug report abstract

	 ===================

	

	

	 > $mailman_root/archive/private is o+x in the default

	 > installation.  This allows anyone with local access to

	 > the machine to read the archives of private mailing

	 > lists, as long as they know the (trivial) structure of

	 > the files beneath this directory.

	 >

	 > I have verified that changing this directory to o-x

	 > causes *all* pipermail pages to become inaccessible, so

	 > that does not resolve the problem.

	 >

	 > There presumably needs to be a setgid program involved

	 > which can verify that the user is authenticated and

	 > give access to the archives if appropriate; then that

	 > directory can be made o-x.

	

SOLUTION

	The Mailmain people have apparently declined to fix this bug.