|
|
Log in / Subscribe / Register

Debian alert DLA-4600-1 (postorius)



From:
              Daniel Leidert <dleidert@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4600-1] postorius security update


Date:
              Tue, 26 May 2026 00:39:38 +0200


Message-ID:
              <ec1085b87640b69c20abb8737f339f0ec1f4e458.camel@debian.org>


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4600-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
May 25, 2026                                  https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : postorius
Version        : 1.3.4-2+deb11u2
CVE ID         : CVE-2026-44742
Debian Bug     : 1136003

A vulnerability has been discovered in postorius, a web user interface
to access GNU Mailman3.

CVE-2026-44742

   If an email is sent to a mailing list with a subject containing HTML
   code and placed in Held messages, the HTML code is rendered without
   escaping in the title of the Held messages pop-up leading to a
   Cross-site Scripting (XSS) vulnerability..

For Debian 11 bullseye, this problem has been fixed in version
1.3.4-2+deb11u2.

We recommend that you upgrade your postorius packages.

For the detailed security status of postorius please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postorius

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmoUz6oUHGRsZWlkZXJ0
QGRlYmlhbi5vcmcACgkQS80FZ8KW0F0cKQ/+OuILMduTcJQA6w8KKbX8S9md7hc/
vI/tXZWNXumd6ZBiXzArMRXmgDFEMzripI3VQxmHLxMH47sZkE8UdwxmMIX5FXbz
uU2M3zFrVm4w/+2dzX+xfsOeq6E0FE3ikV0Eo52MEDHHqAP+hQGuJ3n/V0zZsM3Z
hBmRQxkZZtXfLTwSsRTz78uc6kHbPhXX6HIBQWMmufWHwl3Pt83czeLdCeNNR5/y
vT1uMoGjV81v5oFKgJk3AtE7N8Js5SbuZF149Ejr/+nnXdc60NvV/etOfnK41hYi
GhdOfh+cJJmgHJkn4IBukyTwsDr2iW7y8tgaLcmhQJFuR93zTtncCPFCNa8Agucl
GoigOrlJ4iKRJDcLKq4cApsjHwIwYsZ6TJbyirsUgZaRnF667QvV8mGbnM8xGwkG
lBiTOHCrfgDk0E0oTk/Ds6k/HursWU+CVYQ4Lv5x+fjAg6p7V/7C/iiC01B3iylZ
oTZ5wtw5IVi91qrG3r9pFfYDpdos8dKh56f0Cb5UqcrnHyYFhmWT1c0WoeFZzU9M
cTa78rIgvYlTfemQoQnZVtJxrfXSLfc3KBuMGQPK3mJteDQKo9DkoEvM7qGz/ExZ
Boiu4tInZlceqm8FDVvENXoS0BmGhIfKUa432Js//NcQymmBSB7fnS0Lf/A279RM
CU786feTyLQz1Tc=
=1RPX
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds