On Wed, 2005-02-09 at 14:53 -0500, seth vidal wrote: > On Wed, 2005-02-09 at 14:41 -0500, R P Herrold wrote: > > Sorry for the cross post, but this is an important one > > potentially affecting all recipients. > > > > This just crossed the Full Disclosure mailman moderated > > mailing list. It bears a careful read, and thought about > > whether a response is needed. > > > > The implication is that if there is any use of a mailman > > password in common with a password you 'care' about, you need > > to take appropriate action at once. Also some backends merge > > Bugzilla and mailman password stores, which can cause > > unexpected secondary effects. > > > > I have not seen a patch yet, and so one has to assume that the > > configs and passwords for all mailman moderated mailing lists > > are compromised. Once a fix issues, Mailman moderators will > > want to do a global password change, and local list > > modification. > > > > the patch to mailman came out weeks ago unless this is a new password > exposure bug. > > -sv I think you are thinking about this one: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412 but if that number is right (CAN-2005-0202) ... then this is brand new (it isn't even published yet): http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202 -- Johnny Hughes <http://www.HughesJR.com/>