My suggestion would be: 1) As soon as possible post MM 2.1.6 with the security patch.
2) Quickly follow up with MM 2.1.7 with the member passwords hashed. At the same time I think we should implement the stronger password generation suggested in this open advisory against mailman. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143 I believe this will need a little support in configure.in to detect and be able to utilize the presence of /dev/urandom with an appropriate fall back in its absence. One of my hesitations to injecting the stronger password generation into mailman was the resulting password is then sent in the clear via SMTP, the same is true for the "lost password" feature, and the monthly password reminders. Until all these clear transmissions of passwords are turned off stronger password generation seems a moot point to me. Thus I agree with Barry, turn off the monthly reminders, "mail my password to me" needs to be changed to generate a new password (using the stronger mechanism in CAN-2004-1143), AND the generated password sent in the clear needs to expire in a configurable amount of time (default = 8 hours?) and with first use (e.g. must reset password) so that any password sent in the clear has very limited utility. Then in the MM 3.0 time frame the entire mailman security framework should be revisited, there are many security issues that should be addressed. At a minimum the suggestion of supporting alternate authentication mechanisms (e.g. pam, ldap, kerberos, etc.) should be implemented. In my mind, this is too radical for a 2.1.x release. 3.0 is the right time debut a more configurable and robust security framework. -- John Dennis <[EMAIL PROTECTED]> _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
