oss-sec mailing list archives
Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier
From: Sebastian Pipping <sebastian () pipping org>
Date: Fri, 8 May 2026 16:37:34 +0200
On 5/8/26 06:19, Demi Marie Obenour wrote:
I know that the (unrelated) h2o project (a C HTTP server library and daemon) does tell users to use its master branch.
I would like to note that telling users to use the default branchmeans to ask them to watch that branch for new commits and to potentially re-deploy after every push to that branch, not just
after every release. With my upstream-elsewhere hat on, keeping the default branch in releasable shape and doing a new release soon after security fixes should be feasible. If it's not feasible, that probably indicates other problems. (I mean that in general and not with regard to Postorius or h2o, specially. I have not looked at these or their processes in detail.) Best, Sebastian
Current thread:
- XSS in Postorius (Mailman 3) 1.3.13 and earlier Alyssa Ross (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Sebastian Pipping (May 08)
- Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier Demi Marie Obenour (May 07)
