Control: tags 1136003 + patch Control: tags 1136003 + pending
Dear maintainer, I've prepared an NMU for postorius (versioned as 1.3.13-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Making this as we otherwise regress from trixie after the relesed DSA. Regards, Salvatore
diffstat for postorius-1.3.13 postorius-1.3.13 changelog | 7 +++++++ patches/0003-Fixing-held_messages.js.patch | 27 +++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 35 insertions(+) diff -Nru postorius-1.3.13/debian/changelog postorius-1.3.13/debian/changelog --- postorius-1.3.13/debian/changelog 2025-03-12 11:01:34.000000000 +0100 +++ postorius-1.3.13/debian/changelog 2026-05-14 19:24:38.000000000 +0200 @@ -1,3 +1,10 @@ +postorius (1.3.13-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fixing held_messages.js (CVE-2026-44742) (Closes: #1136003) + + -- Salvatore Bonaccorso <[email protected]> Thu, 14 May 2026 19:24:38 +0200 + postorius (1.3.13-1) unstable; urgency=medium * New upstream release. diff -Nru postorius-1.3.13/debian/patches/0003-Fixing-held_messages.js.patch postorius-1.3.13/debian/patches/0003-Fixing-held_messages.js.patch --- postorius-1.3.13/debian/patches/0003-Fixing-held_messages.js.patch 1970-01-01 01:00:00.000000000 +0100 +++ postorius-1.3.13/debian/patches/0003-Fixing-held_messages.js.patch 2026-05-14 19:23:43.000000000 +0200 @@ -0,0 +1,27 @@ +From: Danil Smirnov <[email protected]> +Date: Sun, 19 Jan 2025 12:22:12 +0200 +Subject: Fixing held_messages.js +Origin: https://gitlab.com/mailman/postorius/-/commit/8d00a3c317729f37435bdbd27170f630e341f29e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-44742 +Bug-Debian: https://bugs.debian.org/1136003 + +--- + src/postorius/static/postorius/js/held_messages.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/postorius/static/postorius/js/held_messages.js b/src/postorius/static/postorius/js/held_messages.js +index e5ec7acc2061..1ddf9e3b70ed 100644 +--- a/src/postorius/static/postorius/js/held_messages.js ++++ b/src/postorius/static/postorius/js/held_messages.js +@@ -9,7 +9,7 @@ var loadjs = function(rest_url, error_message) { + url: rest_url + msgid, + success: function(data) { + $('#message-source-btn').attr('href', rest_url + msgid + '?raw') +- $('#message-title').html(data.subject); ++ $('#message-title').text(data.subject); + $('.modal-footer form input[name="msgid"]').attr('value', msgid); + if (data.msg.body) { + $('#held-message-content').text(data.msg.body); +-- +2.53.0 + diff -Nru postorius-1.3.13/debian/patches/series postorius-1.3.13/debian/patches/series --- postorius-1.3.13/debian/patches/series 2025-03-12 10:10:00.000000000 +0100 +++ postorius-1.3.13/debian/patches/series 2026-05-14 19:23:52.000000000 +0200 @@ -1,2 +1,3 @@ 0001-README.rst-remove-embedded-images.patch 0002-Drop-requests_panel.patch +0003-Fixing-held_messages.js.patch
