Dear Glen, There still is the issue that such system is storing the passwords in clear text. It is really bad and must be fixed ASAP. I have little knowledge of mailman but, if not supported by default, I think that it can be easy to link it with some module to interact with PAM to support cyphered passwords. Please consider it. Thank you. Regards, Pedro On Wed, Aug 01, 2018 at 09:08:00AM -0700, Glen wrote: > Greetings - > > A number of you - myself included - will have received the dreaded > Mailman password reminder email this morning. This is obviously a > bad thing: the script, part of the Mailman distribution, sends Mailman > passwords out to users in regular clear email. Worse, its operation > cannot be disabled via configuration option, it can only be disabled > by patching the Mailman source files: commenting out the relevant > cron entry, and removing the script. > > AMS regularly applies OS-provided software updates and security > patches to the IETF servers as a part of our ongoing maintenance > duties. We've seen Mailman updates before install without issue; > however, the most recent update silently re-enabled the cron entry and > restored the script... and we did not catch it. So, last night, the > flood began. > > Since we all love technical details, some of you might ask, "How could > a security patch re-enable a cron entry?" Mailman has its own crontab > file, a copy of which is kept in its operating directory. The Mailman > start script re-copies this file into /etc/cron.d whenever Mailman > starts. So, the patch updated the crontab copy, containing the > offending (or offensive) line, and the file overwrites the live copy > on the next server startup. What fun! > > Our engineers have already disabled and removed the script again, and > I've asked them to add a specific monitoring rule to our monitoring > systems that will continuously check for the presence of this script > and alert our team immediately if it is ever restored again by a > future update. > > I apologize for the disturbance and the noise. > > Glen > -- > Glen Barney > IT Director > AMS (IETF Secretariat) > -- Pedro Martinez-Julia Network Science and Convergence Device Technology Laboratory Network System Research Institute National Institute of Information and Communications Technology (NICT) 4-2-1, Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan Email: pedro@xxxxxxxxxx --------------------------------------------------------- *** Entia non sunt multiplicanda praeter necessitatem ***
