-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4970-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postorius CVE ID : CVE-2021-40347 Kevin Israel discovered that Postorius, the administrative web frontend for Mailman 3, didn't validate whether a logged-in user owns the email address when unsubscribing. For the oldstable distribution (buster), this problem has been fixed in version 1.2.4-1+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 1.3.4-2+deb11u1. We recommend that you upgrade your postorius packages. For the detailed security status of postorius please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postorius Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmE6SCEACgkQEMKTtsN8 TjZTrA//T49YDDDMjC9w/YOAMAyfHUK+5rPfg+CwBVkUIuUaLVswfHWmBi6nmgML xkDB8n6EggieLrk2bSJFGCzsQBGszkDlrHEnTSskPEZzZUD+rR7bm58Z9RPyxIZI 7D4jXrVaH6u9Dbtph0mpaWuBv8cpYV0647HM3fU0SiLP3W0Y0mikxNd0FqDTv4yb ePdJLOpZTbYl2Ib3CZYAuPV5e9MxSFUGCM5hYvSkAkdD28PiMgiSna3sw0hpdc+V HvnAiPNmeW/3DF2niL59Z4Km1YhH1zMfATRd5SvNV/m9Y2J/+n9PbhvI7Neu1gLs E+mOLdefQCMvW4zOVTrBxxLhMafTBeIkIikfLrXUOTQg2BPsm1fLIkCTc9Be+3UV hz1nhQ60TRdGayGgo4U2zRrw94bnBP1gE3JjOOjg1n09+oinF9v2S0+Hk8gMnUaq dcIu7OIZcl9+yRKeO9/j7KGDdF5+B4VX+BRhHGgoic8LBcufHsZcgXcqu5mkeZNM cl0A826UwpbZIM0TlRNj78fJJV21EhqvVpKS3MJ9989DLuH+vFwa//gInI8Xvho7 F41/B7ZmKuPZbVV5L6SFXE56NWeWn5UqtwvSN3bD42AQYp5PcxS8n1IMsQoRSLHy cv6mIr3iOtaF9Y9b5gxsT9mS9rLbMWEmHwydoCUH3nJdz8k4O6I= =xYF1 -----END PGP SIGNATURE-----