Apache OpenOffice (AOO) Bugzilla – Issue 50
All IssueZilla passwords are being posted to the mailing lists
Last modified: 2003-12-27 10:23:17 UTC
The should be removed. Seems like a security hole to me.
What mailing lists? Please be specific. There are many mailing lists. One way of specifying more rigorously is to use the URL field above to reference the mail-archive dir or the speicfic message w/ a problem. If you mean, IZ had in the past posted passwords to bugs@<project>.openoffice.org, that is the result of operator error in Hamburg as they did not know of http://www.openoffice.org/issues/editusers.cgi?action=add which is a way of creating new lists w/o posting passwords... However, now that the lists have been setup, this should not be a problem anymore. Also, the Hamburg employee who caused the password messages to go out claims he has changed all the posted passwords. Furthermore, these bugs@<project>.openoffice.org lists have no privileges whatsoever, so there shouldn't be a security concern with this issue. I am therefore marking this defect as "invalid" . please reopen if for some reason any of your concerns arent' being addressed here. Below is some previous mail on this issue that I wrote. (edited to remove email addresses and quotation of post i'm replying to, since the author of that post hasn't given me permission to repost his mail (i haven't asked)): -------------------------------- Subject: Re: [tools-bugs] Your OpenOffice Issuezilla password. Date: Wed, 18 Oct 2000 11:49:30 -0700 From: "Niels P. Mayer" <npm@collab.net> [...] These are mailing lists and "role accounts". You should never log in to a mailing list in issuezilla -- it simply doesn't make any sense. People accepting bugs or assigning bugs need to do it as themselves not as a virtual user or role account. Issue-tracking and workflow requires making personal requests and commitments that do not make sense unless you're putting your own name (or at least personal email) on the line. [ why message went to dev@tools.oo.org ...] No. The msssage should have gone to bugs@tools, and it appears to have been sent there. Replies to bugs@<project> should go to dev@<project> so perhaps that's what happened. However, when creating new mailing lists-based "pseudo-users" one needn't have them send mail at all. An admin-level user (e.g. Stefan T or Michael B or anybody with issuezilla parameter "Editusers" set on their account) can use the "add new user" form (http://www.openoffice.org/issues/editusers.cgi?action=add) and set the password directly, preferably to something nobody will ever guess, remember, or, use, since you're not supposed to login to mailing list accounts in the first place. Furthermore, remeber when setting up mailing-list "pseudo-users" in IssueZilla, these users should have no privileges whatsoever. They should not be able to change the status of an issue, or edit any aspect of an issue, or accept an issue. Specifically, all the following parameters should be OFF: Canconfirm: Can confirm an issue. Creategroups: Can create and destroy groups. Editcomponents: Can create, destroy, and edit components. Editissues: Can edit all aspects of any issue. Editkeywords: Can create, destroy, and edit keywords. Editusers: Can edit or disable users Tweakparams: Can tweak operating parameters =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Niels Mayer (npm@collab.net) http://www.cybertribe.com/mayer << >> CollabNet, San Francisco, CA << >> Collab.Net is hiring! Go to http://www.collab.net/jobs for info. << =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
And the passwords have been changed...
No further action eeded