[Mailman-Developers] Handling potential security bugs

Barry Warsaw barry at python.org
Tue Dec 28 04:37:01 CET 2004

On Wed, 2004-12-22 at 09:46, Florian Weimer wrote:
> * Barry Warsaw:
> > On Wed, 2004-12-22 at 05:40, Florian Weimer wrote:
> >
> >> where should I submit security bugs?  There are two more in my queue
> >> (minor ones, admittedly, as no server-side code execution is
> >> involved).
> >
> > As a general rule, you can post security issues to
> > mailman-cabal at python.org, which is a closed distribution list.
> Thanks.
> > I will try to find some time in the next few days to respond to the
> > previous password issue.
> As this bug is now publicly documented, I've submitted a patch to the
> Debian BTS: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796>
> Unfortunately, this patch is not portable because it relies on the
> existence of /dev/urandom.

Can you send me (via mailman-cabal) the patch -- I don't want to have to
cut and paste it out of the referenced bug report.

If you do this, I will include the change_pw script for Mailman 2.1.6
and make a /dev/urandom based password optional based on an mm_cfg.py
variable.  I'm not sure exactly how to handle the listinfo text, but
I'll think of something.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/mailman-developers/attachments/20041227/252179bc/attachment.pgp

More information about the Mailman-Developers mailing list