New vulnerability in Hyperkitty master branch
A new vulnerability was reported against Hyperkitty’s git master branch branch which can expose the archives of a private Mailing List through the new Feeds API that was added to Hyperkitty recently to someone who isn't a member or logged-in.
Thanks to Ngo Wei Lin for reporting this vulnerability.
This bug does not affect any stable released version of Hyperkitty and only affects installations from source (1.3.5b1 version). To differentiate from the vulnerable version, I have bumped the version in master branch to 1.3.5b2, so if you have 1.3.5b1 installed, you should upgrade!
The fix for this bug has been committed to master branch1 less than an hour ago as of this writing. If you are using git branches to install Hyperkitty, you can upgrade using the following command:
$ pip install --upgrade
I have also triggered a build for Mailman container images3 with this changes, so if you are using the rolling container images (which are the only affected ones), then you should upgrade to the latest one when the build1 finishes (approximately in next 30mins).
Do note that this version of rolling release of mailman-web image also includes the fix for the vulnerability announced against Postoruis earlier today.
You can verify that you have the fixed version of Hyperkitty in the image by running:
$ docker run -it --entrypoint bash maxking/mailman-web:rolling bash-5.0# pip list | grep HyperKitty HyperKitty 1.3.5b2
Ensure that you get 1.3.5b2 version.