FAQ
Bugs item #209499, was opened at 2000-07-13 20:26
Message generated for change (Comment added) made by msapiro
You can respond by visiting:
https://sourceforge.net/tracker/?funcÞtail&atid0103&aid 9499&group_id3

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Closed
Resolution: Wont Fix
Priority: 5
Private: No
Submitted By: L. Peter Deutsch (lpd)
Assigned to: Nobody/Anonymous (nobody)
Summary: Security hole: passwords mailed in clear

Initial Comment:
I recently signed up on a SourceForge mailing list. The software mailed a confirmation notice to my mailbox, with the password in clear in the message. This is a basic security hole. I reported this as a SourceForge bug, and they said "Contact the gnu-mailman project."

In my opinion, passwords should never be mailed in clear, especially not to the e-mail address with which they are associated. Please consider changing this.


----------------------------------------------------------------------
Comment By: Mark Sapiro (msapiro)
Date: 2007-03-01 10:44

Message:
Logged In: YES
user_id23998
Originator: NO

This will finally be fixed in Mailman 2.2.

----------------------------------------------------------------------

Comment By: Benjamin Bl?mchen (bburkhart)
Date: 2006-11-26 11:23

Message:
Logged In: YES
user_idY7317
Originator: NO

Hello everyone,

to me, mailing passwords in clear text is never acceptable. In some
setups. one never knows who else is looking at the mail.

The lack of biological RAM in layer 8 is also not an excuse. There are
better ways of dealing with the password remembering problem.

Anyway, mailman is now out of question and also uninstalled from my
machine.

Cheers
Benjamin

----------------------------------------------------------------------

Comment By: L. Peter Deutsch (lpd)
Date: 2000-07-23 23:31

Message:
It's OK with me if you want to close this report; in my opinion, the
Resolution should say "Wont fix".


----------------------------------------------------------------------

Comment By: Thomas Wouters (twouters)
Date: 2000-07-17 02:43

Message:
The Mailman password is in no way a secure password. Mailman is intended
for a wide variety of users, most of which are unable to remember even the
simplest password ;)

The Mailman password is not used as an authentication method, but more as
a *confirmation* method. You'll get a password reminder every month or so
(if the list admin and site admin enabled that) and the only thing you use
the password for are for unsubscribing, changing your options and viewing
the private archive (if any.)

In future versions of Mailman it might be possible to use external
passwords for mailinglist subscribers, but currently the infrastructure for
that is missing. It's on the TODO list, in any case :)


----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?funcÞtail&atid0103&aid 9499&group_id3

Search Discussions

  • SourceForge.net at Mar 1, 2007 at 7:03 pm
    Bugs item #209499, was opened at 2000-07-13 23:26
    Message generated for change (Comment added) made by jimpop
    You can respond by visiting:
    https://sourceforge.net/tracker/?funcÞtail&atid0103&aid 9499&group_id3

    Please note that this message will contain a full copy of the comment thread,
    including the initial issue submission, for this request,
    not just the latest update.
    Category: None
    Group: None
    Status: Closed
    Resolution: Wont Fix
    Priority: 5
    Private: No
    Submitted By: L. Peter Deutsch (lpd)
    Assigned to: Nobody/Anonymous (nobody)
    Summary: Security hole: passwords mailed in clear

    Initial Comment:
    I recently signed up on a SourceForge mailing list. The software mailed a confirmation notice to my mailbox, with the password in clear in the message. This is a basic security hole. I reported this as a SourceForge bug, and they said "Contact the gnu-mailman project."

    In my opinion, passwords should never be mailed in clear, especially not to the e-mail address with which they are associated. Please consider changing this.


    ----------------------------------------------------------------------

    Comment By: Jim Popovitch (jimpop)
    Date: 2007-03-01 14:03

    Message:
    Logged In: YES
    user_id142
    Originator: NO

    Did you read the text on the SF mailinglist subscription page? It goes
    like this:

    "You may enter a privacy password below. This provides only mild
    security, but should
    prevent others from messing with your subscription. Do not use a
    valuable password
    as it will occasionally be emailed back to you in cleartext."

    So, it's not a "bug", it's a "user following the instructions" issue. ;-)

    -Jim P.

    ----------------------------------------------------------------------

    Comment By: Mark Sapiro (msapiro)
    Date: 2007-03-01 13:44

    Message:
    Logged In: YES
    user_id23998
    Originator: NO

    This will finally be fixed in Mailman 2.2.

    ----------------------------------------------------------------------

    Comment By: Benjamin Bl?mchen (bburkhart)
    Date: 2006-11-26 14:23

    Message:
    Logged In: YES
    user_idY7317
    Originator: NO

    Hello everyone,

    to me, mailing passwords in clear text is never acceptable. In some
    setups. one never knows who else is looking at the mail.

    The lack of biological RAM in layer 8 is also not an excuse. There are
    better ways of dealing with the password remembering problem.

    Anyway, mailman is now out of question and also uninstalled from my
    machine.

    Cheers
    Benjamin

    ----------------------------------------------------------------------

    Comment By: L. Peter Deutsch (lpd)
    Date: 2000-07-24 02:31

    Message:
    It's OK with me if you want to close this report; in my opinion, the
    Resolution should say "Wont fix".


    ----------------------------------------------------------------------

    Comment By: Thomas Wouters (twouters)
    Date: 2000-07-17 05:43

    Message:
    The Mailman password is in no way a secure password. Mailman is intended
    for a wide variety of users, most of which are unable to remember even the
    simplest password ;)

    The Mailman password is not used as an authentication method, but more as
    a *confirmation* method. You'll get a password reminder every month or so
    (if the list admin and site admin enabled that) and the only thing you use
    the password for are for unsubscribing, changing your options and viewing
    the private archive (if any.)

    In future versions of Mailman it might be possible to use external
    passwords for mailinglist subscribers, but currently the infrastructure for
    that is missing. It's on the TODO list, in any case :)


    ----------------------------------------------------------------------

    You can respond by visiting:
    https://sourceforge.net/tracker/?funcÞtail&atid0103&aid 9499&group_id3

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-coders @
categoriespython
postedMar 1, '07 at 6:44p
activeMar 1, '07 at 7:03p
posts2
users1
websitelist.org

1 user in discussion

SourceForge.net: 2 posts

People

Translate

site design / logo © 2022 Grokbase