On Wed, 2004-12-22 at 09:46, Florian Weimer wrote:
- Barry Warsaw:
On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
where should I submit security bugs? There are two more in my queue (minor ones, admittedly, as no server-side code execution is involved).
As a general rule, you can post security issues to firstname.lastname@example.org, which is a closed distribution list.
I will try to find some time in the next few days to respond to the previous password issue.
As this bug is now publicly documented, I've submitted a patch to the Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796
Unfortunately, this patch is not portable because it relies on the existence of /dev/urandom.
Can you send me (via mailman-cabal) the patch -- I don't want to have to cut and paste it out of the referenced bug report.
If you do this, I will include the change_pw script for Mailman 2.1.6 and make a /dev/urandom based password optional based on an mm_cfg.py variable. I'm not sure exactly how to handle the listinfo text, but I'll think of something.