Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c716f684-e75f-495d-9d5b-b09db268c7a0@pipping.org>
Date: Fri, 8 May 2026 16:37:34 +0200
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Subject: Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier

On 5/8/26 06:19, Demi Marie Obenour wrote:
> I know that the
> (unrelated) h2o project (a C HTTP server library and daemon) does
> tell users to use its master branch.

I would like to note that telling users to use the default branch
means to ask them to watch that branch for new commits and to 
potentially re-deploy after every push to that branch, not just
after every release.

With my upstream-elsewhere hat on, keeping the default branch in
releasable shape and doing a new release soon after security fixes
should be feasible. If it's not feasible, that probably indicates other
problems. (I mean that in general and not with regard to Postorius or
h2o, specially. I have not looked at these or their processes in
detail.)

Best, Sebastian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.