From maxking at asynchronous.in Thu Dec 28 02:16:06 2017 From: maxking at asynchronous.in (Abhilash Raj) Date: Wed, 27 Dec 2017 23:16:06 -0800 Subject: [Mailman-Announce] Postorius 1.1.2 security release Message-ID: <1514445366.370.24.camel@asynchronous.in> Hi Everyone, I am pleased to announce that Postorius 1.1.2 is released and is up on PyPI[1]. This release fixes a security bug that sets the password of a user in Core to their display name. It is recommended that you upgrade to this version. Postorius (Django) and Mailman Core both have different notion of "user" and "password". When a user account in created in Postorius, it creates a user in Core using the REST API. This bug, causes the password of user created in Core to be set to their display name instead. However, as of now, there are no use cases of the user password in Core and it is present only for historical reasons. So, while this bug is a serious one, it wouldn't result in any real-world exploit. Along with the bug-fix, this release includes a new command that resets *all* user passwords in Core to a random value. Again, there are no use cases of these passwords so resetting *all* of them isn't going to cause any inconvenience to users. This command should be run after the upgrade: $ cd mailman-suite/mailman-suite_project/ $ python manage.py reset_passwords Python 2.7 is the only supported Python version for this release. All versions of Django <=1.11 is supported. For more information about GNU Mailman and Postorius, please see our website: http://list.org The source code is available on Gitlab: https://gitlab.com/mailman/ [1]: https://pypi.org/project/postorius -- thanks, Abhilash Raj -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 866 bytes Desc: This is a digitally signed message part URL: