I'm not sure changing the password helps, since it was basically public to start out with, and hasn't been more exposed than it was before. Just know that the IETF's mailing lists are all security-broken, and act accordingly. -Ben The 08/01/2018 16:44, Art N wrote: > So I suppose a password change would be prudent? > > > Regards, Art Nitsche > > > ________________________________ > From: IETF-Announce <ietf-announce-bounces@xxxxxxxx> on behalf of Glen <glen@xxxxxxxx> > Sent: Wednesday, August 1, 2018 9:08 AM > To: ietf-announce@xxxxxxxx > Subject: Mailman password reminder emails > > Greetings - > > A number of you - myself included - will have received the dreaded > Mailman password reminder email this morning. This is obviously a > bad thing: the script, part of the Mailman distribution, sends Mailman > passwords out to users in regular clear email. Worse, its operation > cannot be disabled via configuration option, it can only be disabled > by patching the Mailman source files: commenting out the relevant > cron entry, and removing the script. > > AMS regularly applies OS-provided software updates and security > patches to the IETF servers as a part of our ongoing maintenance > duties. We've seen Mailman updates before install without issue; > however, the most recent update silently re-enabled the cron entry and > restored the script... and we did not catch it. So, last night, the > flood began. > > Since we all love technical details, some of you might ask, "How could > a security patch re-enable a cron entry?" Mailman has its own crontab > file, a copy of which is kept in its operating directory. The Mailman > start script re-copies this file into /etc/cron.d whenever Mailman > starts. So, the patch updated the crontab copy, containing the > offending (or offensive) line, and the file overwrites the live copy > on the next server startup. What fun! > > Our engineers have already disabled and removed the script again, and > I've asked them to add a specific monitoring rule to our monitoring > systems that will continuously check for the presence of this script > and alert our team immediately if it is ever restored again by a > future update. > > I apologize for the disturbance and the noise. > > Glen > -- > Glen Barney > IT Director > AMS (IETF Secretariat) > --
