[Mailman-Developers] [Fwd: [vendor-sec] Weak auto-generated passwords in Mailman]

Florian Weimer fw at deneb.enyo.de
Wed Dec 22 22:25:33 CET 2004

* JC Dill:

> Florian Weimer wrote:
>>Last time I checked, Mailman lables its member-only archives
>>"private", and the implicit promise to keep things posted to the list
>>private is not kept if the software assigns easily guessed to new
>>I can only repeat that Mailman's current behavior surprises your users
>> *a* *lot*,
> I disagree. 
> So called "private" archives are only kept from prying eyes until those 
> eyes subscribe at which time they are then visible.

Moderating subscription is also supported and heavily used.  List
administrators expect that it keeps out unwanted guests.

If this is not the case, you really should put a big fat warning
somewhere on the list configuration page.

>>and leads to security breaches.

> I would love to see a cite for your claim of "leads to security 
> breaches".  Do you know of actual cases where someone has gained access 
> to private archives by cracking a mailman generated semi-random password 
> rather than by simply subscribing, or by gaining access to a single 
> password thru intercept or social engineering means?

Yes, see the leaked message.

More information about the Mailman-Developers mailing list