diff -Nru postorius-1.1.2/debian/changelog postorius-1.1.2/debian/changelog
--- postorius-1.1.2/debian/changelog	2018-03-16 15:57:27.000000000 +0000
+++ postorius-1.1.2/debian/changelog	2021-11-23 14:38:22.000000000 +0000
@@ -1,3 +1,12 @@
+postorius (1.1.2-3ubuntu0.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Sensitive Information Disclosure
+    - debian/patches/CVE-2021-40347.patch: Check a user owns the email
+    they are trying to unsubscribe.
+    - CVE-2021-40347
+
+ -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Tue, 23 Nov 2021 14:38:22 +0000
+
 postorius (1.1.2-3) unstable; urgency=medium
 
   [ Jonas Meurer ]
diff -Nru postorius-1.1.2/debian/control postorius-1.1.2/debian/control
--- postorius-1.1.2/debian/control	2018-03-16 15:14:08.000000000 +0000
+++ postorius-1.1.2/debian/control	2021-11-23 14:38:22.000000000 +0000
@@ -1,7 +1,8 @@
 Source: postorius
 Section: python
 Priority: optional
-Maintainer: Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
 Uploaders: Pierre-Elliott Bécue <becue@crans.org>,
            Jonas Meurer <jonas@freesources.org>
 Build-Depends: debhelper (>= 11),
diff -Nru postorius-1.1.2/debian/patches/CVE-2021-40347.patch postorius-1.1.2/debian/patches/CVE-2021-40347.patch
--- postorius-1.1.2/debian/patches/CVE-2021-40347.patch	1970-01-01 00:00:00.000000000 +0000
+++ postorius-1.1.2/debian/patches/CVE-2021-40347.patch	2021-11-23 14:38:16.000000000 +0000
@@ -0,0 +1,35 @@
+From: Jonas Meurer <jonas@freesources.org>
+Date: Thu, 9 Sep 2021 14:21:50 +0200
+Subject: [PATCH] Check a user owns the email they are trying to unsubscribe
+ (CVE-2021-40347)
+Origin: upstream, https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
+Author: Kunal Mehta <legoktm@debian.org>
+
+The list unsubscribe/ endpoint now performs validation that the user
+making the request owns the email address they have requested be
+unsubscribed. Without this check, any logged-in user could unsubscribe
+any other email address from any list, also leaking whether that address
+was subscribed in the first place.
+---
+ src/postorius/views/list.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- postorius-1.1.2.orig/src/postorius/views/list.py
++++ postorius-1.1.2/src/postorius/views/list.py
+@@ -363,6 +363,15 @@ class ListUnsubscribeView(MailingListVie
+     @method_decorator(login_required)
+     def post(self, request, *args, **kwargs):
+         email = request.POST['email']
++        # Verify the user actually controls this email, should
++        # return 1 if the user owns the email, 0 otherwise.
++        found_email = EmailAddress.objects.filter(
++            user=request.user, email=email, verified=True).count()
++        if found_email == 0:
++            messages.error(
++                request,
++                _('You can only unsubscribe yourself.'))
++            return redirect('list_summary', self.mailing_list.list_id)
+         try:
+             self.mailing_list.unsubscribe(email)
+             messages.success(request, _('%s has been unsubscribed'
diff -Nru postorius-1.1.2/debian/patches/series postorius-1.1.2/debian/patches/series
--- postorius-1.1.2/debian/patches/series	2017-12-14 12:01:23.000000000 +0000
+++ postorius-1.1.2/debian/patches/series	2021-11-23 14:38:16.000000000 +0000
@@ -1 +1,2 @@
 0001-README.rst-remove-embedded-images.patch
+CVE-2021-40347.patch