Everyone,

A security vulnerability was reported against Postorius recently which allows any logged-in user to unsubscribe any other member on any other list on same Mailman installation using a specially crafted POST request due to a missing ownership check. This has been assigned CVE-2021-40347.

This affects all past versions of Postorius including 1.0.0.

Thanks to Kunal Mehta for the security report and a quick patch to fix the vulnerability.

I am also attaching a minimal patch that fixes it along with this email, without tests and NEWS so that it applies to older versions of Postorius easily (I have tested the included patch with 1.3.3, 1.3.2 git tags).

Upgrading to 1.3.5 release is highly recommended and it mostly includes the fix for this vulnerability (and a small compatibility fix for django-mailman3 1.3.6) so it shouldn’t introduce any other bugs.

You can upgrade to this release by running:

 $ pip install postorius==1.3.5

A full change log is available here1 as usual and can be downloaded from PyPI2.

Since there aren't many changes, this release requires 3.5+ like 1.3.4. Although, note that the next release will drop support for 3.5 and will support 3.6 only.

For those of you who use container images, I am working on 0.3.12 of container images right now, so look out for that announcement. For those of you using the rolling releases, you can already upgrade to the latest version of the rolling release as it has the fix.

-- thanks, Abhilash Raj (maxking)