From 5e5744f96faf378ab9ff524d6cc526a9c58abc38 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:33:33 +0000 Subject: import mailman-2.1.15-30.el7 --- diff --git a/SOURCES/mailman-2.1.15-rh1351939.patch b/SOURCES/mailman-2.1.15-rh1351939.patch index a89bfc5..f1cd291 100644 --- a/SOURCES/mailman-2.1.15-rh1351939.patch +++ b/SOURCES/mailman-2.1.15-rh1351939.patch @@ -1,6 +1,5 @@ -=== modified file 'Mailman/Handlers/SpamDetect.py' ---- Mailman/Handlers/SpamDetect.py 2012-02-05 21:37:29 +0000 -+++ Mailman/Handlers/SpamDetect.py 2013-10-08 04:57:09 +0000 +--- a/Mailman/Handlers/SpamDetect.py 2012-02-05 21:37:29 +0000 ++++ b/Mailman/Handlers/SpamDetect.py 2013-10-08 04:57:09 +0000 @@ -27,6 +27,7 @@ import re diff --git a/SOURCES/mailman-cve_2018_0618.patch b/SOURCES/mailman-cve_2018_0618.patch new file mode 100644 index 0000000..5d2f1bd --- /dev/null +++ b/SOURCES/mailman-cve_2018_0618.patch @@ -0,0 +1,131 @@ +diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py +index 980e5f2..dfde630 100644 +--- a/Mailman/Gui/General.py ++++ b/Mailman/Gui/General.py +@@ -559,6 +559,14 @@ mlist.info. + or not isinstance(val, IntType)): + doc.addError(_("""admin_member_chunksize attribute not + changed! It must be an integer > 0.""")) ++ elif property == 'host_name': ++ try: ++ Utils.ValidateEmail('user@' + val) ++ except Errors.EmailAddressError: ++ doc.addError(_("""host_name attribute not changed! ++ It must be a valid domain name.""")) ++ else: ++ GUIBase._setValue(self, mlist, property, val, doc) + else: + GUIBase._setValue(self, mlist, property, val, doc) + +diff --git a/Mailman/Utils.py b/Mailman/Utils.py +index 9dbd0b5..fd6ac79 100644 +--- a/Mailman/Utils.py ++++ b/Mailman/Utils.py +@@ -1019,6 +1019,7 @@ _badwords = [ + ' longest: ++ syslog('mischief', ++ 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) ++ pieces[0] = pieces[0][:longest] + '...' ++ return pieces + return None + + diff --git a/SPECS/mailman.spec b/SPECS/mailman.spec index e9f4066..6f09ba5 100644 --- a/SPECS/mailman.spec +++ b/SPECS/mailman.spec @@ -4,7 +4,7 @@ Summary: Mailing list manager with built in Web access Name: mailman Version: 2.1.15 -Release: 26%{?dist}.1 +Release: 30%{?dist} Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz @@ -45,6 +45,9 @@ Patch24: mailman-2.1.15-CVE-2015-2775.patch Patch25: mailman-2.1.15-rh1351939.patch Patch26: mailman-2.1.12-newlist-ja.patch Patch27: mailman-2_1-xss_vulnerability.patch +Patch28: mailman-findmember_decode.patch +Patch29: mailman-long_text_description.patch +Patch30: mailman-cve_2018_0618.patch License: GPLv2+ @@ -122,29 +125,7 @@ additional installation steps, these are described in: %{docdir}/INSTALL.REDHAT %prep -%setup -q -%patch1 -p1 -b .multimail -%patch2 -p1 -b .permissions -%patch3 -p1 -b .status -%patch4 -p1 -b .cron -%patch5 -p1 -b .FHS -%patch6 -p1 -b .python-compile -%patch7 -p1 -b .archive-in-reply-to -%patch8 -p1 -b .lctype -%patch9 -p1 -b .ctypo -%patch10 -p1 -b .ctypefix -%patch12 -p1 -b .selinux -%patch13 -p1 -b .unicode -%patch14 -p1 -b .fhsinit -%patch17 -p1 -b .mmcfg -%patch18 -p1 -b .initcleanup -%patch20 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p0 -%patch26 -p1 -%patch27 -p1 -b .xss +%autosetup -p1 # Change `#!/usr/bin/env python` shebang to `#!/usr/bin/python` sed -i '1s|^#! */usr/bin/env python$|#!/usr/bin/python|' `find -iname '*.py'` @@ -600,17 +581,23 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog -* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-26.1 -- Related: #1545974 - Add import regular expression module +* Wed Jul 31 2019 Pavel Zhukov - 3:2.1.15-30 +- Resolves: #1599692 - Sanitize input on listinfo page (CVE-2018-0618) -* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-26 -- Related: #1545974 - Bump release to make it higher than 7.5 +* Wed Jul 31 2019 Pavel Zhukov - 3:2.1.15-29 +- Resolves: #1611689 - Trim long text in "no such list" messages + +* Mon Jul 22 2019 Pavel Zhukov - 3:2.1.15-28 +- Resolves: #1718180 - Try to decode member name first -* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-24.2 -- Resolves: #1545974 - Add sanitizer to mitigate XSS injection +* Tue Mar 20 2018 Pavel Zhukov - 3:2.1.15-27 +- Related : #1545973 - Bump release to override rhel-7.4.z version + +* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-26 +- Resolves: #1545973 - Add sanitizer for XSS mitigation -* Fri Feb 16 2018 Pavel Zhukov - 3:2.1.15-24.1 -- Resolves: #1545974 - Fix XSS vulnerability in web UI +* Fri Feb 16 2018 Pavel Zhukov - 3:2.1.15-25 +- Resolves: #1545973 - Fix XSS vulnerability in web UI * Wed Feb 22 2017 Pavel Šimerda - 3:2.1.15-24 - Resolves: #1232737 - Fix instances of #!/usr/bin/env python in mailman