- Package:
- src:postorius
- Source:
- src:postorius
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-05-15 04:41:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for postorius. CVE-2026-44742[0]: | Postorius through 1.3.13 does not escape HTML in the message subject | when rendering it in the Held messages pop-up, as exploited in the | wild in May 2026. https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b https://gitlab.com/mailman/postorius/-/merge_requests/972 I'm preparing a DSA as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44742 https://www.cve.org/CVERecord?id=CVE-2026-44742 Please adjust the affected versions in the BTS as needed.
Dear maintainer, I've prepared an NMU for postorius (versioned as 1.3.13-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Making this as we otherwise regress from trixie after the relesed DSA. Regards, Salvatore
Hi Actually I'm cancelling this upload since python3-django-postorius is not installable in unstable (due to its strict dependencies to python3-django, filled a bug about it). Regards, Salvatore
Hi, I see in https://tracker.debian.org/pkg/postorius that 1.3.13-1+deb13u1 is in unstable and testing. Is this some kind of mistake? Security team?