[Pkg-mailman-hackers] Bug#993746: CVE-2021-40347 seems to be fixed

Boud Roukema bouddebbug at cosmo.torun.pl
Sun Oct 15 12:35:02 BST 2023


hi Maintainers,

* https://security-tracker.debian.org/tracker/CVE-2021-40347 says that this
bug (993746 -  python3-django-postorius: CVE-2021-40347 New upstream to fix security bug)
is fixed in all versions.

A quick browse is consistent with that:

* buster patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/buster-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch

* bullseye patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/bullseye-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch

* bookworm/trixie/sid are at version 1.3.8-3 https://tracker.debian.org/pkg/postorius

I'm new to mailman3 (finally got the upgrade from mailman2 done), but
it looks like time to close this bug.

Cheers
Boud



More information about the Pkg-mailman-hackers mailing list