On Wed, 9 Mar 2005, Brent Chapman wrote:
> Date: Wed, 9 Mar 2005 14:51:15 -0800
> From: Brent Chapman <Brent@greatcircle.com>
> To: Daniel Liston <dliston@sonny.org>
> Cc: majordomo-workers@greatcircle.com
> Subject: Re: Whether/how to address security issue with Majordomo 1.94.5?
>
> At 4:37 PM -0600 3/9/05, Daniel Liston wrote:
> >I would not mind moving into the role of release coordinator.
>
> OK, that's an option I'll definitely consider.
>
> If anybody wants to speak up for or against Dan taking over the role
> of release coordinator, please let me know your reasons ASAP; feel
> free to send me private email, if you'd rather not discuss it
> publicly.
I enthusiastically support Dan as Majordomo Release Coordinator.
> >I can think of several of the unofficial patches that could
> >be rolled in to make a dandy 1.94.6 release, as well as a few
> >bug and security fixes and "unsupported" utilities. :)
>
> Yeah, though we might also want to consider getting the security
> patch(es) out quickly as 1.94.6, and then following up with a feature
> release (perhaps 1.95?). That would make it easy for folks to
> address just the security issue, without worrying about what new bugs
> might be introduced by the new features.
I recommend the following patches available in:
ftp://ftp.ccsf.org/majordomo-patches/1.94.5/
for 1.94.6:
config_parse.pl-resend.3 Bounces non-member messages to sender|owner|both|no_one
majordomo.1 Fixes the which command @ hole
majordomo.5 Provides more robust confirmation procedure
majordomo.7 Patch to deal correctly with <List>.intro file
noCommand_noBounce.0 Causes majordomo not to respond to SPAM
passwd.4 Integrates passwd and newconfig commands
resend.1 Puts missing "Subject" header if(subject_prefix)
restrict2domain.1 Extends restrict_post attribute to accept email
sample.cf.0 Defines variables for robust confirmation and
sets a default policy for non-member bounce
validate_@._.1 Addresses must not have multiple @ or . or any @..
I have been using them all for years.
For 1.95.0 I recommend html-stripper-v0.1. Other patches in the site may
also be useful, but I have not tested them.
Incidentally, I believe majordomo.5 is the solution to the problem in the
algorithm used to generate cookies in 1.94.5 for use in "auth" commands.
Regards,
Joe
--
_/ _/_/_/ _/ ____________ __o
_/ _/ _/ _/ ______________ _-\<,_
_/ _/ _/_/_/ _/ _/ ......(_)/ (_)
_/_/ oe _/ _/. _/_/ ah jjah@sol.ccsf.cc.ca.us
> >If you do move the development effort to sourceforge, are you
> >considering any changes to a GNU license?
>
> I don't recall why I originally chose the TIS license (which is what
> I based the Majordomo license on, with their permission) rather than
> a GNU license. If I recall correctly, the GNU license was nowhere
> near as well-established back then, and was just one of several "open
> source" (though that term hadn't come into use yet, I don't think)
> licenses that were floating around.
>
> >Would greatcircle still host the mailing lists?
>
> Yes, if necessary, though it might make sense to move them to
> Sourceforge as well (if that's a service they offer; I don't know).
> Nobody here is paying any attention to bounces or requests for
> approval on the Majordomo-* mailing lists.
>
> >There were a couple years where I was intimately familiar with
> >the inner workings of majordomo, and I still have a back burner
> >project to make majordomo LDAP aware. I intend to use an on/off
> >switch for this feature, if I ever get time to finish it. :(
> >
> >I just don't want to see majordomo die of neglect, and I prefer
> >the simplicity of 1.9x to the complexity of "][".
>
> Noble sentiments.
>
>
> -Brent
> --
> Brent Chapman <Brent@GreatCircle.COM>
> Great Circle Associates, Inc.
> http://www.greatcircle.com/
> +1 650 962 0841
References:
|
|
