Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro
On 01/19/2017 11:35 AM, Odhiambo Washington wrote: > On 19 January 2017 at 21:22, Mark Sapiro wrote: >> >> Look at some of the hits from searching at >> for >> global_ban_list. >> > > > Seen that. Usable, but not everything, given that so

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington
On 19 January 2017 at 21:22, Mark Sapiro wrote: > On 01/19/2017 08:32 AM, Odhiambo Washington wrote: > > On 19 January 2017 at 18:55, Brian Carpenter wrote: > > > > Odhiambo Washington wrote: > >>> > >>> Now this got me thinking: Once one has submitted a subscription request > >> and > >>> Mailm

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Mark Sapiro
On 01/19/2017 08:32 AM, Odhiambo Washington wrote: > On 19 January 2017 at 18:55, Brian Carpenter wrote: > Odhiambo Washington wrote: >>> >>> Now this got me thinking: Once one has submitted a subscription request >> and >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline an

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington
On 19 January 2017 at 18:55, Brian Carpenter wrote: > > I have a situation which is a little confusing on a server where I run > > Mailman. The subscription model is "confirm & approve" > > > > When I check the MTA's queue, I find hundreds of mail destined to certain > > addresses, and one addres

Re: [Mailman-Users] Mailman Security

2017-01-19 Thread Brian Carpenter
> I have a situation which is a little confusing on a server where I run > Mailman. The subscription model is "confirm & approve" > > When I check the MTA's queue, I find hundreds of mail destined to certain > addresses, and one address could have 10 or more same mail destined to it. > I cleared t

[Mailman-Users] Mailman Security

2017-01-19 Thread Odhiambo Washington
Okay, maybe the subject is inflammatory/misleading :-) I have a situation which is a little confusing on a server where I run Mailman. The subscription model is "confirm & approve" When I check the MTA's queue, I find hundreds of mail destined to certain addresses, and one address could have 10 o

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Lindsay Haisley
On Tue, 2013-05-07 at 10:40 +0900, Stephen J. Turnbull wrote: > Lindsay Haisley writes: > > > Is there any support in any version of Mailman for total end to end > > message security? > > Not in a distributed version, although as mentioned in another post > there's a patch. There's a GSoC prop

[Mailman-Users] Mailman security question

2013-05-06 Thread Stephen J. Turnbull
Lindsay Haisley writes: > Is there any support in any version of Mailman for total end to end > message security? Not in a distributed version, although as mentioned in another post there's a patch. There's a GSoC proposal to implement some such thing for Mailman 3, with a reasonable UI for ha

Re: [Mailman-Users] Mailman security question

2013-05-06 Thread Dennis Putnam
On 5/6/2013 4:54 PM, Lindsay Haisley wrote: > Is there any support in any version of Mailman for total end to end > message security? This would involve being able to send, say, a GPG (or > PGP) encrypted post to a list, using the list's public key, having the > list decrypt it, and then repost it

[Mailman-Users] Mailman security question

2013-05-06 Thread Lindsay Haisley
Is there any support in any version of Mailman for total end to end message security? This would involve being able to send, say, a GPG (or PGP) encrypted post to a list, using the list's public key, having the list decrypt it, and then repost it to all subscribers, encrypted for each using their

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro
On 2/18/2011 8:01 AM, Mark Sapiro wrote: > > The patch is attached as confirm_xss.patch.txt. > This list's content filtering stripped the patch's signature part. For those who would want to verify the signature, I am resending the patch here as a PGP MIME format message which should pass content

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/13/2011 1:58 PM, Mark Sapiro wrote: > An XXS vulnerability affecting Mailman 2.1.14 and prior versions has > recently been discovered. A patch has been developed to address this > issue. The patch is small, affects only one module and can be appli

[Mailman-Users] Mailman Security Patch Announcement

2011-02-13 Thread Mark Sapiro
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a r

[Mailman-Users] Mailman security patch.

2010-09-04 Thread Mark Sapiro
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vul

Re: [Mailman-Users] Mailman Security & privacy needed examples aregiven below

2008-07-12 Thread Steven Stern
Mark Sapiro wrote: jithender reddy wrote: where as one day i find that same as ours i.e mailman archieve it is showing entire mails to the outside people. If they are downloading all the archieves and seeing them will break our privacy this came to my existance after 2 years of time. I dont k

Re: [Mailman-Users] Mailman Security & privacy needed examples aregiven below

2008-07-12 Thread Mark Sapiro
jithender reddy wrote: > >where >as one day i find that same as ours i.e mailman archieve it is showing >entire mails to the outside people. If they are downloading all the >archieves and seeing them will break our privacy this came to my >existance after 2 years of time. I dont know how may are do

[Mailman-Users] Mailman Security & privacy needed examples are given below

2008-07-12 Thread jithender reddy
Hello Mailman community We are using the Mailman in our office, for our internal purpose only. Which is meant for privacy to the office also. where as one day i find that same as ours i.e mailman archieve it is showing entire mails to the outside people. If they are downloading all the archieve

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin
>On Wed, 5 Feb 2003 13:47:48 + >Adam <[EMAIL PROTECTED]> wrote: > >> On Wed, 5 Feb 2003 11:44:10 - >> "dino" <[EMAIL PROTECTED]> wrote: >> >> > Actually he did it this way: >> > >> > Noticed that mydomain/mailman was browsable. >> > >> > Telneted to port 80 and sent a get request from th

Re: [Mailman-Users] Mailman Security.

2003-02-06 Thread Keith Mastin
>Hi All, > >I was just wondering what kind of security mailman offers, as far as >protecting user passwords goes? > >A techy friend of mine has just kindly emailed me a list of all users >and their passwords! Looking at my server logs it would appear that he >snuck in somehow via anonymous ftp. >

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread lhansfor
--Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > John Buttery > Sent: 05 February 2003 11:27 > To: 'Mailman users Mailing list' > Subject: Re: [Mailman-Users] Mailman Security. > > > * dino <[EMAIL PROTECTED]> [

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch
> -Original Message- > From: Simone Piunno > Sent: Wednesday, February 05, 2003 11:25 AM > > actually, telnet does NOT show you the RAW connection data (it does > terminal emulation, intercepting control sequences). For real raw > data you should use netcat: > Excellent point Simone. I s

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Simone Piunno
mercoledì, 05 febbraio 2003 alle 09:51:02, Jim Popovitch ha scritto: > People, you can use telnet to connect to any port and view the raw > connection data on that port. See this URL for how to send email via actually, telnet does NOT show you the RAW connection data (it does terminal emulation

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch
> -Original Message- > From: Adam > Sent: Wednesday, February 05, 2003 8:49 AM > > The fact that telnet is open pretty much says everything about > this sysadmin's approach to security. The fact that you confused "telnet 80" with "telnet " says volumes about your sysadmin skills. :) Peo

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Richard Barrett
and desist the telnet server. This problem is likely to be due to poor setup of your httpd.conf. Dino -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Buttery Sent: 05 February 2003 11:27 To: 'Mailman users Mailing list' Subject: Re:

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Jim Popovitch
> -Original Message- > From: dino > Sent: Wednesday, February 05, 2003 6:44 AM > > Actually he did it this way: > > Noticed that mydomain/mailman was browsable. > > Telneted to port 80 and sent a get request from there...ouch. Your web browser "telnets" to port 80 all day long. :) -Ji

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw
> "A" == Adam <[EMAIL PROTECTED]> writes: A> The fact that telnet is open pretty much says everything about A> this sysadmin's approach to security. Actually, using the telnet /client/ to connect to port 80 is a pretty natural thing to do. It should connect to the web server runni

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread dino
Sent: 05 February 2003 13:48 To: [EMAIL PROTECTED] Subject: Re: [Mailman-Users] Mailman Security. On Wed, 5 Feb 2003 11:44:10 - "dino" <[EMAIL PROTECTED]> wrote: > Actually he did it this way: > > Noticed that mydomain/mailman was browsable. > > Telneted to

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw
> "d" == dino <[EMAIL PROTECTED]> writes: d> I was just wondering what kind of security mailman offers, as d> far as protecting user passwords goes? User passwords are considered a lower value asset, so while it should not be possible for unauthorized users or list admins to get the

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread Barry A. Warsaw
> "d" == dino <[EMAIL PROTECTED]> writes: d> Actually he did it this way: d> Noticed that mydomain/mailman was browsable. d> Telneted to port 80 and sent a get request from there...ouch. d> Sorting that now More details, please. E.g. exactly what url did he get? -Barry

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread Adam
On Wed, 5 Feb 2003 13:47:48 + Adam <[EMAIL PROTECTED]> wrote: > On Wed, 5 Feb 2003 11:44:10 - > "dino" <[EMAIL PROTECTED]> wrote: > > > Actually he did it this way: > > > > Noticed that mydomain/mailman was browsable. > > > > Telneted to port 80 and sent a get request from there...ouch.

RE: [Mailman-Users] Mailman Security.

2003-02-05 Thread dino
: 'Mailman users Mailing list' Subject: Re: [Mailman-Users] Mailman Security. * dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]: > I was just wondering what kind of security mailman offers, as far as > protecting user passwords goes? Pretty much none. It emails

Re: [Mailman-Users] Mailman Security.

2003-02-05 Thread John Buttery
* dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -]: > I was just wondering what kind of security mailman offers, as far as > protecting user passwords goes? Pretty much none. It emails them cleartext once a month, for starters. The list signup page explicitly instructs subscribers not to u

[Mailman-Users] Mailman Security.

2003-02-05 Thread dino
Hi All, I was just wondering what kind of security mailman offers, as far as protecting user passwords goes? A techy friend of mine has just kindly emailed me a list of all users and their passwords! Looking at my server logs it would appear that he snuck in somehow via anonymous ftp. Would clo