[Mailman-Developers] Hashing member passwords in config.pck
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Fri Feb 11 01:29:58 CET 2005
Hi,
John Dennis wrote:
> My suggestion would be:
>
> 1) As soon as possible post MM 2.1.6 with the security patch.
+1
>
> 2) Quickly follow up with MM 2.1.7 with the member passwords hashed.
I would suggest 'mailman 2.2' and introduce password-less membership.
Most of the user operations should be done by confirmation string sent
by email message. Users can optionally have their passwords which should
be stored in hashed format.
Other 2.2 features I imagine are:
- Languages are selectable at configure option.
- Internal strings are unified to unicode to reduce type checking.
- Utf-8 web pages for
> At
> the same time I think we should implement the stronger password
> generation suggested in this open advisory against mailman.
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143
>
This has been integrated in 2.1.6 CVS.
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Developers
mailing list