I've finally regained access to all three websites, list.org,
mailman.sf.net, and the GNU mirror, so I've pushed out the latest
updates. There are the usual additions to the list of users, but much
more importantly there's Terri's new user documentation, and my recent
consolidation of the installa
At 11:04 AM +0100 2004-12-22, Florian Weimer wrote:
Feedback from selected, trustworthy Mailman users indicates that
Mailman users also think that this is a security bug.
I agree that it's a security issue, but I think that there are
other issues that are higher in the priority list for future
So let me try to address some of the issues raised here. There's two
things: what we can do for Mailman 2.1, and what we can do for Mailman
3.0 (yes, it is still alive ;).
For the most part, passwords are one big PITA all around. I'd love to
see mechanisms in MM3 that would eliminate passwords a
On 12/21/2004 15:47, "Terri Oda" <[EMAIL PROTECTED]> wrote:
> On Dec 15, 2004, at 11:37 AM, John Dennis wrote:
>
>> This was forwarded to me by our security officer. I believe the
>> original
>> author, Florian Weimer, intended to reach this list but did not know
>> how
>> to and instead went thr
* JC Dill:
> Florian Weimer wrote:
>
>>Last time I checked, Mailman lables its member-only archives
>>"private", and the implicit promise to keep things posted to the list
>>private is not kept if the software assigns easily guessed to new
>>members.
>>
>>I can only repeat that Mailman's current b
While I agree that on the average, the passwords aren't that critical, I do have a few lists that
are set to require the admin's approval for subscription. Here, security is a little tighter.
I do routinely disable the monthly password reminders though - there's enough in the web admin that
peo
Florian Weimer wrote:
Last time I checked, Mailman lables its member-only archives
"private", and the implicit promise to keep things posted to the list
private is not kept if the software assigns easily guessed to new
members.
I can only repeat that Mailman's current behavior surprises your users
On Dec 22, 2004, at 5:40 AM, Florian Weimer wrote:
Shall I post them to this mailing list, and notify full-disclosure &c
at the same time? (Terri will prove that these two bugs are
non-issues as well, and propose to defer fixing them to 3.0 anyway, so
I doubt that I private discussion would get us
* Barry Warsaw:
> On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
>
>> where should I submit security bugs? There are two more in my queue
>> (minor ones, admittedly, as no server-side code execution is
>> involved).
>
> As a general rule, you can post security issues to
> [EMAIL PROTECTED], w
On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
> where should I submit security bugs? There are two more in my queue
> (minor ones, admittedly, as no server-side code execution is
> involved).
As a general rule, you can post security issues to
[EMAIL PROTECTED], which is a closed distributio
Hi,
where should I submit security bugs? There are two more in my queue
(minor ones, admittedly, as no server-side code execution is
involved).
Shall I post them to this mailing list, and notify full-disclosure &c
at the same time? (Terri will prove that these two bugs are
non-issues as well, a
* Terri Oda:
> First off -- as far as I know, the mailman password generation
> algorithm was never intended for significant security. It was intended
> to generate nearly-pronouncable (and thus easier to remember) passwords
> as a mild deterrent to attackers. I wouldn't really characterize
* John Dennis:
> This was forwarded to me by our security officer. I believe the original
> author, Florian Weimer, intended to reach this list but did not know how
> to and instead went through his security contacts.
Of course I went through my security contacts because I thought (and
still thin
Stephen J. Turnbull wrote:
You might also want to look at some of the notes for Mailman3 in the
Mailman3 tree, and compare its source tree structure to Mailman2.
Thanks for all the pointers; I haven't had a chance to dig in yet, but I
did get the mail flowing again by moving out a large batch of m
14 matches
Mail list logo
