[Pkg-mailman-hackers] [Mailman-cabal] Potential security flaw in Postorius
Barry Warsaw
barry at list.org
Tue Dec 26 16:37:16 UTC 2017
On Dec 25, 2017, at 16:44, Abhilash Raj <raj.abhilash1 at gmail.com> wrote:
> Currently, there are no use cases of a user's password in Core.
This is correct. User passwords in Core are a vestige of an earlier time. They weren’t completely removed from the model because there are some potential use cases we were keeping the door open for, and because it would require a database migration. So unless some third party code were using them through the REST API or as an add-on rule/handler (unlikely - and we know HyperKitty and Postorius don’t use this field), then I think the effective security problems are nonexistent.
Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/attachments/20171226/51327450/attachment.sig>
More information about the Pkg-mailman-hackers
mailing list