[Mailman-Developers]
[ mailman-Bugs-566301 ] umbrella list: unsubscribe key public
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 16 Aug 2002 14:59:18 -0700
Bugs item #566301, was opened at 2002-06-08 17:44
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=566301&group_id=103
Category: security/privacy
Group: 2.1 beta
Status: Open
Resolution: None
>Priority: 5
Submitted By: Stefan Divjak (stdivjak)
Assigned to: Nobody/Anonymous (nobody)
Summary: umbrella list: unsubscribe key public
Initial Comment:
Mailman offers a feature to set up an "umbrella-list",
which is used if a list just has other lists as members.
Assume we have an umbrella-list U, which has to
members, X and Y - both are also lists.
Now, cleverly, the monthly password reminders are
not sent to X and Y, but to "X-owner" and "Y-owner"
instead, so this information should reach the owners of
the subscribed lists (sending a password reminder to
X would mean giving each member of the X list the
power to unsubscribe X from U etc.).
But: If a member of X or Y opens the member options
page (http://my.server.net/mailman/options/U/X) and
clicks on the "unsubscribe" button, the necessary key
is mailed to X (and not to "X-owner"). This is probably
not what we want. If the list archive is not private, the
password is even available to everyone out there.
----------------------------------------------------------------------
>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-08-16 17:59
Message:
Logged In: YES
user_id=12800
Umbrella lists are a hack that will eventually go away.
Still, if they're there now they should at least be safer.
Any chance you'd like to generate a patch for this problem?
If not, I'm lowering the priority because it involves a
soon-to-be deprecated feature.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=566301&group_id=103