[ML-General] Anyone else having trouble changing their Mailman settings?

Hunter Fuller hfuller at pixilic.com
Sun May 8 23:00:10 CDT 2016


Arthur,

I'll write to you under separate cover wrt your first issue, since I
am unable to reproduce it (the button lists my mailing list
subscriptions). For future reference, you can find the netadmin
contact information here:
https://256.makerslocal.org/wiki/Network#Delegates_and_Contact_Information

With regards to the privacy concerns, email is sent over the Internet
in plain text, so it doesn't bother me much that the page contents are
not sent using TLS. The password thing does bother me a bit, I'll
admit, but all an attacker could do is change your settings and read
the archives - not send mail as you. In the meantime, I will add a
correct TLS certificate to the roadmap. It will be possible now that
Let's Encrypt exists; before, it was cost prohibitive.

The password being stored in plain text isn't a serious vulnerability
in this case (in my opinion). An attacker could use a stolen password
database to access the archives . . . but they also could have just
stolen the archives while they were stealing your password.
Nevertheless, it is not possible to "update" to Mailman 3. There is no
upgrade path between Mailman 2 and 3 at this time.

I hope this assuages some of your concerns.

--
Hunter Fuller
root



On Sat, May 7, 2016 at 11:35 AM, Arthur <Arthur at cd-net.net> wrote:
> Hey folks,
>
> I'd like to check with you all and see if Mailman is working correctly.
>
> You can check if you can change your settings at
> http://lists.makerslocal.org//mailman/options/general/  Yes, I know it has
> two slashes after the domain name, but I'm just a regular user looking at
> the page.
>
> I'd appreciate it if someone would double check my findings, since I can't
> seem to get things to work correctly.
>
> Mailman refuses to save any settings, and just bounces a user back to the
> password screen when clicking save, or trying to view all subscriptions.
>
> Steps to Reproduce:  Log in, then click "List my other subscriptions"
> Mitigation:  ????? (I have no clue)
>
> No HTTPS, so passwords are sent in plain text over the air.
>
> Steps to Reproduce:  Try to visit the https page and, recieve a certificate
> error.
> Mitigation:  Switch to HTTPS only, with a valid (default trusted)
> certificate
>
> Passwords are stored in plain text on the server.
>
> Steps to Reproduce:  Request a password reminder, which just E-Mails your
> password to you!
> Mitigation:  Update to Mailman 3.  Mailman 2 does not support password
> hashing.
>
>
> While the security issues are a big deal, my problem is I can't do things
> like set digest mode, or change any settings for that matter.  I'd
> appreciate it if someone else would check and see if they're having the same
> issues.
>
> --
> Sincerely,
> Arthur Moore
> (256) 277-1001
>
> _______________________________________________
> general mailing list - general at lists.makerslocal.org
> A service of Makers Local 256 - https://256.makerslocal.org/
> http://lists.makerslocal.org/mailman/listinfo/general



More information about the general mailing list