[Mailman-Developers] Handling potential security bugs

Terri Oda terri at zone12.com
Wed Dec 22 17:17:58 CET 2004

On Dec 22, 2004, at 5:40 AM, Florian Weimer wrote:
> Shall I post them to this mailing list, and notify full-disclosure &c
> at the same time?  (Terri will prove that these two bugs are
> non-issues as well, and propose to defer fixing them to 3.0 anyway, so
> I doubt that I private discussion would get us anywhere.)

Hey!  I wasn't trying to say that they're a non-issue.  It's just that 
I think if we want to make claims of security, we should probably fix 
more than what you suggested and make it more clear to users what 
attack vectors there are.  If we're talking about larger architectural 
changes to make things better, then such a fix would naturally fall 
into 3.0, where it could be done properly.

However, if users already have this expectation of security, then 
you're right, it makes sense to try to meet it as soon as possible.  To 
be honest, I've encountered really few users who thought mailman 
archives were secure (I think I've encountered one in the years I've 
been working with mailman) so I was assuming this was a known flaw to 
most users.

More information about the Mailman-Developers mailing list