Hi,
where should I submit security bugs? There are two more in my queue (minor ones, admittedly, as no server-side code execution is involved).
Shall I post them to this mailing list, and notify full-disclosure &c at the same time? (Terri will prove that these two bugs are non-issues as well, and propose to defer fixing them to 3.0 anyway, so I doubt that I private discussion would get us anywhere.)
Florian
On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
where should I submit security bugs? There are two more in my queue (minor ones, admittedly, as no server-side code execution is involved).
As a general rule, you can post security issues to mailman-cabal@python.org, which is a closed distribution list. I will try to find some time in the next few days to respond to the previous password issue.
-Barry
- Barry Warsaw:
On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
where should I submit security bugs? There are two more in my queue (minor ones, admittedly, as no server-side code execution is involved).
As a general rule, you can post security issues to mailman-cabal@python.org, which is a closed distribution list.
Thanks.
I will try to find some time in the next few days to respond to the previous password issue.
As this bug is now publicly documented, I've submitted a patch to the Debian BTS: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796>
Unfortunately, this patch is not portable because it relies on the existence of /dev/urandom.
On Dec 22, 2004, at 5:40 AM, Florian Weimer wrote:
Shall I post them to this mailing list, and notify full-disclosure &c at the same time? (Terri will prove that these two bugs are non-issues as well, and propose to defer fixing them to 3.0 anyway, so I doubt that I private discussion would get us anywhere.)
Hey! I wasn't trying to say that they're a non-issue. It's just that I think if we want to make claims of security, we should probably fix more than what you suggested and make it more clear to users what attack vectors there are. If we're talking about larger architectural changes to make things better, then such a fix would naturally fall into 3.0, where it could be done properly.
However, if users already have this expectation of security, then you're right, it makes sense to try to meet it as soon as possible. To be honest, I've encountered really few users who thought mailman archives were secure (I think I've encountered one in the years I've been working with mailman) so I was assuming this was a known flaw to most users.
On Wed, 2004-12-22 at 09:46, Florian Weimer wrote:
- Barry Warsaw:
On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
where should I submit security bugs? There are two more in my queue (minor ones, admittedly, as no server-side code execution is involved).
As a general rule, you can post security issues to mailman-cabal@python.org, which is a closed distribution list.
Thanks.
I will try to find some time in the next few days to respond to the previous password issue.
As this bug is now publicly documented, I've submitted a patch to the Debian BTS: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796>
Unfortunately, this patch is not portable because it relies on the existence of /dev/urandom.
Can you send me (via mailman-cabal) the patch -- I don't want to have to cut and paste it out of the referenced bug report.
If you do this, I will include the change_pw script for Mailman 2.1.6 and make a /dev/urandom based password optional based on an mm_cfg.py variable. I'm not sure exactly how to handle the listinfo text, but I'll think of something.
-Barry
participants (3)
-
Barry Warsaw -
Florian Weimer -
Terri Oda