FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- generated passwords are poor quality

Affected packages
ja-mailman < 2.1.6
mailman < 2.1.6

Details

VuXML ID b3cd00f7-c0c5-452d-87bc-086c5635333e
Discovery 2004-12-15
Entry 2005-06-01

Florian Weimer wrote:

Mailman 2.1.5 uses weak auto-generated passwords for new subscribers. These passwords are assigned when members subscribe without specifying their own password (either by email or the web frontend). Knowledge of this password allows an attacker to gain access to the list archive even though she's not a member and the archive is restricted to members only. [...]

This means that only about 5 million different passwords are ever generated, a number that is in the range of brute force attacks -- you only have to guess one subscriber address (which is usually not that hard).

References

CVE Name CVE-2004-1143
Message http://mail.python.org/pipermail/mailman-developers/2004-December/017553.html
Message 87llc0u6l8.fsf@deneb.enyo.de