Hi Everyone,
I am pleased to announce that Postorius 1.1.2 is released and is up on PyPI[1].
This release fixes a security bug that sets the password of a user in Core to
their display name. It is recommended that you upgrade to this version.
Postorius (Django) and Mailman Core both have different notion of "user" and
"password". When a user account in created in Postorius, it creates a user in
Core using the REST API. This bug, causes the password of user created in Core
to be set to their display name instead.
However, as of now, there are no use cases of the user password in Core and it
is present only for historical reasons. So, while this bug is a serious one, it
wouldn't result in any real-world exploit. Along with the bug-fix, this release
includes a new command that resets *all* user passwords in Core to a random
value. Again, there are no use cases of these passwords so resetting *all* of
them isn't going to cause any inconvenience to users.
This command should be run after the upgrade:
$ cd mailman-suite/mailman-suite_project/
$ python manage.py reset_passwords
Python 2.7 is the only supported Python version for this release. All versions
of Django <=1.11 is supported.
For more information about GNU Mailman and Postorius, please see our website:
http://list.org
The source code is available on Gitlab:
https://gitlab.com/mailman/
[1]: https://pypi.org/project/postorius
--
thanks,
Abhilash Raj
