Hey Mailman Users,

A new Django vulnerability was disclosed yesterday1 which can lead to account hijacks via password reset emails. The fix has been released as a part of Django 3.0.1, 2.2.9, and 1.11.27.

We do not support Django 3.0.1, so, please upgrade to 2.2.9 or 1.11.27, depending on which version of Mailman components you are using.

If you are using a virtualenv based installation, you can install the new versions using pip

(venv) $ pip install -U django==2.2.9

or similar for 1.11.27.

You can also upgrade django-allauth to 0.41.0, which also fixes this issue2.

I hope distro packages will soon have updated packages with the fixes.

I have also published new versions of Container Images, 0.3.2 (or, 0.3) both have been updated. See more details about updating the containers here[3].

-- thanks, Abhilash Raj (maxking)