[Pkg-mailman-hackers] [Mailman-cabal] Potential security flaw in Postorius
Abhilash
raj.abhilash1 at gmail.com
Wed Dec 27 08:05:09 UTC 2017
On Tue, 2017-12-26 at 11:37 -0500, Barry Warsaw wrote:
> On Dec 25, 2017, at 16:44, Abhilash Raj <raj.abhilash1 at gmail.com> wrote:
>
> > Currently, there are no use cases of a user's password in Core.
>
> This is correct. User passwords in Core are a vestige of an earlier
> time. They weren’t completely removed from the model because there are some
> potential use cases we were keeping the door open for, and because it would
> require a database migration. So unless some third party code were using them
> through the REST API or as an add-on rule/handler (unlikely - and we know
> HyperKitty and Postorius don’t use this field), then I think the effective
> security problems are nonexistent.
Thanks Barry!
So, I am going to tag and release Postorius 1.1.2 sometime tomorrow (27th Dec)
and also push the changes to Gitlab.
How does that sound to everyone?
--
thanks,
Abhilash Raj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/attachments/20171227/e33eeedb/attachment.sig>
More information about the Pkg-mailman-hackers
mailing list