[Mailman-Developers] Password security vulnerability

[Barry A. Warsaw]

>>>>> "DDC" == Dirk De Coninck <Dirk.DeConinck@inno.com> writes:

    DDC> It seems there is a bug in the listadmin password checking. I
    DDC> have version 2.0.11 running at my site and to my experience
    DDC> mailman only looks to the first 8 characters of a
    DDC> password. This was a real problem for me as all the listadmin
    DDC> passwords began with the name of the list...  As a result one
    DDC> could login be typing the name of the list (for those lists
    DDC> with a name longer then 8 characters). I have searched the
    DDC> archives if this is a known problem or if there is a fix
    DDC> available but without success. I would appreciate any
    DDC> feedback regarding this issue.

Set USE_CRYPT=0 to use md5 hashed passwords over crypt()'d passwords.

Note that MM2.1 uses sha hashes for all passwords.

    DDC> P.S. Thank you all for your contributions and the development
    DDC> of mailman. Keep up the good work !!!

You're welcome!
-Barry