Mike Brudenell wrote: > >All the documentation I've read and help pages I've managed to locate give >no clue of this behaviour. Instead they strongly imply that by setting the >umbrella_list setting to YES that "password reminders" are sent to the >list's owners by adding the specified suffix (typically "-owner") to each >member's address. > >I'm now wondering if this is actually referring only to the "Please remind >me of my password" link, not the monthly reminder. If so then a huge >warning needs adding to the FAQ and documentation about umbrella lists >advising admins NOT to turn on the monthly reminders for umbrella lists in >order to avoid this big security issue. > >Or am I missing something/have something misconfigured?
I think you are correct. I think cron/mailpasswds should be fixed. I don't know how this has been ignored for so long. In the mean time, I think the following (Warning - totally untested and watch out for wrapped lines) patch will fix it. --- mailpasswds 2006-04-15 17:38:24.000000000 -0700 +++ mailpasswdsx 2006-06-01 07:30:07.843750000 -0700 @@ -162,6 +162,8 @@ optionsurl = mlist.GetOptionsURL(member) lang = mlist.getMemberLanguage(member) info = (listaddr, password, optionsurl, lang) + if mlist.umbrella_list: + member = mlist.GetMemberAdminEmail(member).lower() userinfo.setdefault(member, []).append(info) # Now that we've collected user information for this host, send each # user the password reminder. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp