Developers of Sympa

[David Verdin <address@concealed>]

Le 31/03/2016 11:49, IKEDA Soji a écrit :

All,

Done.  Now AUTH command takes random hash key with 16 bytes in
length.

If 6.2.15 will be released in near days, I'll pause large changes.

Alright Soji.
I'll try to tag it tomorrow. We have some annoying bugs fixed in the current branch that need to be released.
I'll update the catalogues now, so that we can update translations, then we'll tag the version.

Cheers,

David

Regards,

-- Soji

On Mon, 15 Feb 2016 19:08:56 +0900
IKEDA Soji <address@concealed> wrote:

Hi developers,

I realized that authentication key used by AUTH command is reusable.
Because It depends only on target email and list name if any, and
secret "cookie" parameter (See Sympa::compute_auth() to generate
this key).  To disable the key, administrator has no choice but
changing "cookie" parameter.

Remarkable case is global REMIND command.  Once auth key is
disclosed, any users will become able to send a command
"AUTH <auth key> REMIND *" to distribute remind messages to all
users.

So I propose changing AUTH command to use one-time auth keys similar
to which CONFIRM and DISTRIBUTE commands use, instead of persistent
keys.

Any objections or questions?


Regards,

-- Soji.

-- 
株式会社 コンバージョン  セキュリティ&OSSソリューション部   池田荘児
〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
e-mail address@concealed  TEL 03-6429-2880
http://www.conversion.co.jp/

--
A bug in Sympa? Quick! To the bug tracker!

David Verdin Études et projets applicatifs
Tél : +33 2 23 23 69 71 Fax : +33 2 23 23 71 21   www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex

Attachment: smime.p7s
Description: Signature cryptographique S/MIME