From 9aa6a390d9c483f858d4da532e9bec429659a14c Mon Sep 17 00:00:00 2001 From: nectar Date: Wed, 1 Jun 2005 15:36:40 +0000 Subject: Another older mailman vulnerability, somewhat minor --- security/vuxml/vuln.xml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index ae2996c..c3fd41e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,44 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> + + mailman -- generated passwords are poor quality + + + mailman + ja-mailman + 2.1.5 + + + + +

Florian Weimer wrote:

+
Mailman 2.1.5 uses weak auto-generated passwords for new + subscribers. These passwords are assigned when members + subscribe without specifying their own password (either by + email or the web frontend). Knowledge of this password + allows an attacker to gain access to the list archive even + though she's not a member and the archive is restricted to + members only. [...]
+
This means that only about 5 million different passwords + are ever generated, a number that is in the range of brute + force attacks -- you only have to guess one subscriber + address (which is usually not that hard).
+

+ + + + CAN-2004-1143 + http://mail.python.org/pipermail/mailman-developers/2004-December/017553.html + http://mail.python.org/pipermail/mailman-developers/attachments/20041215/be238297/attachment.mht + + + 2004-12-15 + 2005-06-01 + + + mailman -- password disclosure -- cgit v1.1