GNU Mailman

Security issues: passwords are stored in plaintext

Bug #1501762 reported by Steeve McCauley on 2015-10-01

This bug report is a duplicate of: Bug #265179: Security hole: passwords mailed in clear. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	New	Undecided	Unassigned

Bug Description

Passwords for the mailing list users are stored in plaintext, and mailed to the users each month as "reminders" by default.

Passwords should be hashed securely using modern hashing methods and the password thrown away. Mailing passwords in plaintext is something that was acceptable in 1992, barely. Doing so in 2015 is insane.

At the very least the default setting of mailing out users passwords in plaintext should be eliminated. Password recovery methods should be modernized.

Steeve McCauley (steeve-mccauley) on 2015-10-01

information type:

Private Security → Public Security

Revision history for this message

Mark Sapiro (msapiro) wrote on 2015-10-01:

This is a well known, long standing issue. See <https://bugs.launchpad.net/mailman/+bug/265179>. It is fixed in Mailman 3. It won't be fixed in Mailman 2.1, but you can stop sending monthly reminders by removing the crontab entry that sends them.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #265179 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.