Postorius 1.1.2 security release
Hi Everyone,
I am pleased to announce that Postorius 1.1.2 is released and is up on PyPI1. This release fixes a security bug that sets the password of a user in Core to their display name. It is recommended that you upgrade to this version.
Postorius (Django) and Mailman Core both have different notion of "user" and "password". When a user account in created in Postorius, it creates a user in Core using the REST API. This bug, causes the password of user created in Core to be set to their display name instead.
However, as of now, there are no use cases of the user password in Core and it is present only for historical reasons. So, while this bug is a serious one, it wouldn't result in any real-world exploit. Along with the bug-fix, this release includes a new command that resets *all* user passwords in Core to a random value. Again, there are no use cases of these passwords so resetting *all* of them isn't going to cause any inconvenience to users.
This command should be run after the upgrade:
$ cd mailman-suite/mailman-suite_project/
$ python manage.py reset_passwordsPython 2.7 is the only supported Python version for this release. All versions of Django <=1.11 is supported.
For more information about GNU Mailman and Postorius, please see our website:
The source code is available on Gitlab:
-- thanks, Abhilash Raj
Hi,
Am 27. December 2017 um 23:16 Uhr -0800 schrieb Abhilash Raj <maxking@asynchronous.in>:
Python 2.7 is the only supported Python version for this release. All versions of Django <=1.11 is supported.
I see the below error when I try to upgrade postorius. Given the statement above, I assume it's a problem with Django then -- I've got no Python experience after all. So, what's the correct way to upgrade postorius if just using `$ pip install --upgrade' doesn't work?
(env2) mailman@alexandria:~$ pip install --upgrade postorius
Collecting postorius
Downloading postorius-1.1.2.tar.gz (383kB)
100% |████████████████████████████████| 389kB 2.1MB/s
Collecting Django>=1.8 (from postorius)
Downloading Django-2.0.tar.gz (8.0MB)
100% |████████████████████████████████| 8.0MB 137kB/s
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-build-_z8tGq/Django/setup.py", line 32, in <module>
version = __import__('django').get_version()
File "django/__init__.py", line 1, in <module>
from django.utils.version import get_version
File "django/utils/version.py", line 61, in <module>
@functools.lru_cache()
AttributeError: 'module' object has no attribute 'lru_cache'
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-_z8tGq/Django/
(env2) mailman@alexandria:~$ python --version
Python 2.7.13
Greetings Marvin
-- Blog: https://mg.guelker.eu PGP/GPG ID: F1D8799FBCC8BC4F
Am 29. December 2017 um 20:57 Uhr +0100 schrieb Marvin Gülker <m-guelker@phoenixmail.de>:
I see the below error when I try to upgrade postorius. Given the statement above, I assume it's a problem with Django then -- I've got no Python experience after all. So, what's the correct way to upgrade postorius if just using `$ pip install --upgrade' doesn't work?
Nevermind, reading pip's help fixed the problem. The correct command is:
$ pip install --upgrade --upgrade-strategy only-if-needed postoriusInterestingly, it worked without the --upgrade-strategy switch for Mailman Core.
Dear, I'm going to be happy when Mailman 3 makes it into Debian stable's repos...
Greetings Marvin
-- Blog: https://mg.guelker.eu PGP/GPG ID: F1D8799FBCC8BC4F
On 12/29/2017 08:57 PM, Marvin Gülker wrote:
Hi,
Python 2.7 is the only supported Python version for this release. All versions of Django <=1.11 is supported. I see the below error when I try to upgrade postorius. Given the statement above, I assume it's a problem with Django then -- I've got no Python experience after all. So, what's the correct way to upgrade
Am 27. December 2017 um 23:16 Uhr -0800 schrieb Abhilash Raj <maxking@asynchronous.in>: postorius if just using `$ pip install --upgrade' doesn't work?
(env2) mailman@alexandria:~$ pip install --upgrade postorius Collecting postorius Downloading postorius-1.1.2.tar.gz (383kB) 100% |████████████████████████████████| 389kB 2.1MB/s Collecting Django>=1.8 (from postorius) Downloading Django-2.0.tar.gz (8.0MB) 100% |████████████████████████████████| 8.0MB 137kB/s Complete output from command python setup.py egg_info: Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-build-_z8tGq/Django/setup.py", line 32, in <module> version = __import__('django').get_version() File "django/__init__.py", line 1, in <module> from django.utils.version import get_version File "django/utils/version.py", line 61, in <module> @functools.lru_cache() AttributeError: 'module' object has no attribute 'lru_cache' The issue is that django 2.0 doesn't support python3 anymore.
Am 29. Dezember 2017 um 21:19 Uhr +0100 schrieb Simon Hanna:
The issue is that django 2.0 doesn't support [python2, corrected by me] anymore.
Fine, but why does pip then still try to download it? Shouldn't there be a constraint in the metadata for django and/or postorius somewhere that prevents that and forces it to a lower version?
Note: The problem is solved for me, see my last post.
Greetings Marvin
-- Blog: https://mg.guelker.eu PGP/GPG ID: F1D8799FBCC8BC4F
participants (3)
-
Abhilash Raj -
Marvin Gülker -
Simon Hanna