Hey Everyone,
I have just tagged release 0.3.12 on Github for container images for Mailman 31. This release includes the fix for CVE-2021-40347 that was announced earlier today. For the folks using 0.3 or 0.3.11 release tags, it is highly recommended that you upgrade to this release.
This release also bumps the version of Mailman Core to 3.3.4, Mailmanclient to 3.3.3 and Django-mailman3 to 1.3.7.
Note that is since the main and v0.3.12 branches are different in many ways, the default documentation2 and the docker-compose.yaml files in the main branch aren't accurate if you are using the stable release. Please refer to the README3 at v0.3.12 tag in the Github repo for more accurate docker-compose.yaml and documentation.
The project has grown large enough that we need to start versioning the documentation, if someone has experience with versioning docs using Github pages and mkdocs, then I very much need some help here!
For those of you who are using the rolling release, it is recommended that you **don't** upgrade to this stable release. The fixes have been pulled into the rolling tags too, so just make sure that you upgrade to the latest published version of rolling release, which as of this writing should be based off on fda837f8d15540e190992c30f7971f50fca54dac commit4. This might not be the latest by the time you upgrade if I add a new commit, so look for versions published after 4:00 PM PST 9/5/2021.
I am also working on cutting a new release, 0.4.0, which is backwards incompatible with the setup required to talk to web server and MTA (hence the minor version bump!). That should bring the rolling releases and stable releases closer to each other and add improvements around not needing static IPs in the docker network anymore, plus several bug fixes.
If someone wants to test the upgrade to 0.4.0 from 0.3 release and is willing to try out the instructions at 5, it would give me some confidence in cutting out the release sooner. The only thing stopping the release of 0.4.0 images is that I haven't verified if the upgrade from 0.3 is documented enough or not.
For all the registries listed in README6, I am still trying to push to Quay (maybe I need to just skip pushing to Quay :-). So, just use the other two to pull the images, Github (ghcr.io) has more generous pull download policy for un-authenticated users though.
-- thanks, Abhilash Raj (maxking)