Feb. 10, 2005
6:29 p.m.
Hi,
John Dennis wrote:
My suggestion would be:
- As soon as possible post MM 2.1.6 with the security patch.
+1
- Quickly follow up with MM 2.1.7 with the member passwords hashed.
I would suggest 'mailman 2.2' and introduce password-less membership. Most of the user operations should be done by confirmation string sent by email message. Users can optionally have their passwords which should be stored in hashed format.
Other 2.2 features I imagine are:
- Languages are selectable at configure option.
- Internal strings are unified to unicode to reduce type checking.
- Utf-8 web pages for
At the same time I think we should implement the stronger password generation suggested in this open advisory against mailman.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143
This has been integrated in 2.1.6 CVS.
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/