On 5/7/26 03:22, Alyssa Ross wrote: > The current released version of Postorius, and earlier versions, contain > an XSS vulnerability in the admin UI. A fix was merged upstream in > January 2025, which included documentation of the security issue in the > news file[1], but no release has been made since, and I don't see any > previous discussion in the oss-security archives. Distributions > packaging the latest release that have not backported this fix are > vulnerable. I have heard that this issue is being actively exploited. > > [1]: > https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
Yikes! Looks like the PyPI version is also vulnerable. I wonder if Postorius is going to make a release again, or if users should start deploying git versions in the future. I know that the (unrelated) h2o project (a C HTTP server library and daemon) does tell users to use its master branch. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
