README.rst | 15 0 + 15 - 0 !
1 file changed, 15 deletions(-)

 _readme_remove_embedded_images

hyperkitty/management/commands/hyperkitty_import.py | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 ensure private archives stay private during import (cve-2021-33038)

hyperkitty keeps state of whether a mailing list's archives should be
public or private in the hyperkitty_mailinglist table. However during
the import process, it would create a row using the default settings
(archive_policy="public") instead of getting the correct values from
Mailman. It would only sync with Mailman at the end of the import
process.

This patch explicitly creates the hyperkitty_mailinglist row/object at
the beginning of the import process, so the visiblity will be correctly
obtained from Mailman, before any messages can be accidentally leaked.