I am pleased to announce that Postorius 1.1.2 is released and is up on PyPI1. This release fixes a security bug that sets the password of a user in Core to their display name. It is recommended that you upgrade to this version.
Postorius (Django) and Mailman Core both have different notion of "user" and "password". When a user account in created in Postorius, it creates a user in Core using the REST API. This bug, causes the password of user created in Core to be set to their display name instead.
However, as of now, there are no use cases of the user password in Core and it is present only for historical reasons. So, while this bug is a serious one, it wouldn't result in any real-world exploit. Along with the bug-fix, this release includes a new command that resets *all* user passwords in Core to a random value. Again, there are no use cases of these passwords so resetting *all* of them isn't going to cause any inconvenience to users.
This command should be run after the upgrade:
$ cd mailman-suite/mailman-suite_project/ $ python manage.py reset_passwords
Python 2.7 is the only supported Python version for this release. All versions of Django <=1.11 is supported.
For more information about GNU Mailman and Postorius, please see our website:
The source code is available on Gitlab: