When resetting passwords and once a month in the daily mailing list reminder, I get my password sent to me in plain text, meaning that we don’t hash and salt the passwords. This seems like security issue.
|Open||Security||None||T181803 Stop storing Mailman passwords in plain text|
|Stalled||None||T52864 Have a conversation about migrating from GNU Mailman 2.1 to GNU Mailman 3.0|
|Open||None||T130554 Official support for upgrade from existing Mailman 2.1 lists to Mailman 3|
- Mentioned In
- T52864: Have a conversation about migrating from GNU Mailman 2.1 to GNU Mailman 3.0
- Mentioned Here
- T66547: Upgrade some lists to Mailman 3
T97492: Upgrade to Mailman 3.0
T130554: Official support for upgrade from existing Mailman 2.1 lists to Mailman 3
T52864: Have a conversation about migrating from GNU Mailman 2.1 to GNU Mailman 3.0
Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.
Threat-modeling this a bit, I personally think it far more likely that a malicious actor happens across lists.wikimedia.org and sees it's running a preposterously outdated version of Mailman and goes from there, as opposed to finding random, public Phab bugs like this one. The solution here is to upgrade Mailman, which has been discussed for several years now (see: T52864, T97492, T66547, T130554) where the exact issue this task describes has been previously noted (T97492#1243823). The upgrade just needs to be prioritized and scheduled, which can be a very complicated process around here.
Keep in mind these passwords are (mostly?) randomly chosen by mailman not the user, so they are closer to tokens than traditional passwords (doesnt make this less terrible, but adjusts the threat model slightly)