[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mailman-developers
Subject:    [Mailman-Developers] Postorius 1.1.2 security release
From:       Abhilash Raj <maxking () asynchronous ! in>
Date:       2017-12-28 7:16:06
Message-ID: 1514445366.370.24.camel () asynchronous ! in
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hi Everyone,

I am pleased to announce that Postorius 1.1.2 is released and is up on PyPI[1].
This release fixes a security bug that sets the password of a user in Core to
their display name. It is recommended that you upgrade to this version.

Postorius (Django) and Mailman Core both have different notion of "user" and
"password". When a user account in created in Postorius, it creates a user in
Core using the REST API. This bug, causes the password of user created in Core
to be set to their display name instead.

However, as of now, there are no use cases of the user password in Core and it
is present only for historical reasons. So, while this bug is a serious one, it
wouldn't result in any real-world exploit. Along with the bug-fix, this release
includes a new command that resets *all* user passwords in Core to a random
value. Again, there are no use cases of these passwords so resetting *all* of
them isn't going to cause any inconvenience to users.

This command should be run after the upgrade:


    $ cd mailman-suite/mailman-suite_project/
    $ python manage.py reset_passwords


Python 2.7 is the only supported Python version for this release. All versions
of Django <=1.11 is supported. 

For more information about GNU Mailman and Postorius, please see our website:

   http://list.org

The source code is available on Gitlab:
   
   https://gitlab.com/mailman/



[1]: https://pypi.org/project/postorius


-- 
thanks,
Abhilash Raj
["signature.asc" (application/pgp-signature)]

_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/mailman-developers%40progressive-comp.com


Security Policy: http://wiki.list.org/x/QIA9



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic