Hello community, here is the log from the commit of package mailman for openSUSE:11.3 checked in at Thu Mar 31 18:06:37 CEST 2011. -------- --- old-versions/11.3/all/mailman/mailman.changes 2009-11-03 20:20:21.000000000 +0100 +++ 11.3/mailman/mailman.changes 2011-02-23 19:43:22.000000000 +0100 @@ -1,0 +2,20 @@ +Wed Feb 23 19:42:27 CET 2011 - matejcik@suse.cz + +- fixed a XSS vulnerability in confirm.py (CVE-2011-0707, bnc#671745) + +------------------------------------------------------------------- +Mon Nov 15 10:46:32 CET 2010 - dmueller@suse.de + +- update to 2.1.14: + - Two potential XSS vulnerabilities have been identified and fixed. + - Various i18n updates + - A new feature for controlling the addition/replacement of the Sender: + header in outgoing mail has been implemented. This allows a list owner + to set include_sender_header on the list's General Options page in the + admin GUI. The default for this setting is Yes which preserves the prior + behavior of removing any pre-existing Sender: and setting it to the + list's -bounces address. Setting this to No stops Mailman from adding or + modifying the Sender: at all. + - long list of bug fixes and enhancements, see included NEWS for details + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/mailman Destination is old-versions/11.3/UPDATES/all/mailman calling whatdependson for 11.3-i586 Old: ---- mailman-2.1.11.tgz mailman-2.1.3-misc-PACKAGES.diff mailman-2.1.3-python.dif mailman-2.1.4-avoid-headerfolding-python21.diff mailman-python-26-deprecation-md5-sha.diff mailman-python-26-email-fixes.diff minmem New: ---- mailman-2.1.14-CVE-2011-0707.patch mailman-2.1.14-misc-PACKAGES.diff mailman-2.1.14-python.dif mailman-2.1.14.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailman.spec ++++++ --- /var/tmp/diff_new_pack.lb47su/_old 2011-03-31 18:06:15.000000000 +0200 +++ /var/tmp/diff_new_pack.lb47su/_new 2011-03-31 18:06:15.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package mailman (Version 2.1.11) +# spec file for package mailman # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,8 +30,8 @@ PreReq: /usr/sbin/useradd /usr/sbin/groupadd /bin/echo /bin/cp /bin/rm /bin/mkdir /usr/bin/awk /usr/bin/touch /usr/bin/getent openssl PreReq: permissions Summary: The GNU Mailing List Manager -Version: 2.1.11 -Release: 10 +Version: 2.1.14 +Release: 6.<RELEASE2> Source: %{name}-%{version}.tgz Source1: README.SuSE Source2: mailman-2.1-manpages.tgz @@ -52,13 +52,12 @@ %else Patch2: mailman-SuSE.patch %endif -Patch3: mailman-2.1.3-python.dif +Patch3: mailman-2.1.14-python.dif Patch5: mailman-2.1.3-editarch.patch -Patch6: mailman-2.1.3-misc-PACKAGES.diff +Patch6: mailman-2.1.14-misc-PACKAGES.diff Patch7: mailman-2.1.2-list_lists.patch Patch10: mailman-2.1.4-dirmode.patch Patch11: mailman-2.1.4-notavaliduser.patch -Patch15: mailman-2.1.4-avoid-headerfolding-python21.diff Patch17: mailman-weak-password.diff Patch18: mailman-2.1.5-no_extra_asian.dif Patch19: mailman-python24.patch @@ -66,8 +65,7 @@ %else Patch20: mailman-SuSE2.patch %endif -Patch21: mailman-python-26-deprecation-md5-sha.diff -Patch22: mailman-python-26-email-fixes.diff +Patch21: mailman-2.1.14-CVE-2011-0707.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define m_uid 72 %define m_gid 67 @@ -100,7 +98,6 @@ %patch7 %patch10 -p1 %patch11 -p1 -%patch15 -p1 %patch17 -p1 %patch18 %patch19 @@ -109,7 +106,6 @@ %patch20 %endif %patch21 -%patch22 cp -av %{S:1} . # ---------------------------------------------------------------------------- ++++++ mailman-2.1.14-CVE-2011-0707.patch ++++++ === modified file 'Mailman/Cgi/confirm.py' --- Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +0000 +++ Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +0000 @@ -471,7 +471,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) table.AddRow([_("""Your confirmation is required in order to complete the unsubscription request from the mailing list <em>%(listname)s</em>. You are currently subscribed with @@ -573,7 +573,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) if globally: globallys = _('globally') else: @@ -814,7 +814,7 @@ if username is None: username = _('<em>not available</em>') else: - username = Utils.uncanonstr(username, lang) + username = Utils.websafe(Utils.uncanonstr(username, lang)) table.AddRow([_("""Your membership in the %(realname)s mailing list is currently disabled due to excessive bounces. Your confirmation is ++++++ mailman-2.1.3-misc-PACKAGES.diff -> mailman-2.1.14-misc-PACKAGES.diff ++++++ --- old-versions/11.3/all/mailman/mailman-2.1.3-misc-PACKAGES.diff 2009-10-04 14:12:35.000000000 +0200 +++ 11.3/mailman/mailman-2.1.14-misc-PACKAGES.diff 2010-11-15 10:49:14.000000000 +0100 @@ -1,5 +1,3 @@ -Index: mailman-2.1.11/Makefile.in -=================================================================== --- mailman-2.1.11.orig/Makefile.in +++ mailman-2.1.11/Makefile.in @@ -125,6 +125,7 @@ doinstall: $(SUBDIRS) @@ -10,13 +8,11 @@ # Only run bin/update if we aren't installing in DESTDIR, as this # means there are probably no lists to deal with, and it wouldn't -Index: mailman-2.1.11/misc/Makefile.in -=================================================================== ---- mailman-2.1.11.orig/misc/Makefile.in -+++ mailman-2.1.11/misc/Makefile.in -@@ -58,7 +58,7 @@ EMAILPKG= email-2.5.8 - JACODECSPKG= JapaneseCodecs-1.4.11 - KOCODECSPKG= KoreanCodecs-2.0.5 +--- mailman-2.1.14/misc/Makefile.in 2010-09-20 20:18:27.000000000 +0200 ++++ mailman-2.1.14/misc/Makefile.in 2010-11-15 10:34:50.013318554 +0100 +@@ -57,7 +57,7 @@ + JACODECSPKG= @JACODECSPKG@ + KOCODECSPKG= @KOCODECSPKG@ -PACKAGES= $(EMAILPKG) $(JACODECSPKG) $(KOCODECSPKG) +PACKAGES= $(EMAILPKG) ++++++ mailman-2.1.3-python.dif -> mailman-2.1.14-python.dif ++++++ --- old-versions/11.3/all/mailman/mailman-2.1.3-python.dif 2009-10-04 14:12:36.000000000 +0200 +++ 11.3/mailman/mailman-2.1.14-python.dif 2010-11-15 10:49:14.000000000 +0100 @@ -37,39 +37,18 @@ # Only run bin/update if we aren't installing in DESTDIR, as this # means there are probably no lists to deal with, and it wouldn't -Index: bin/mailmanctl -=================================================================== ---- bin/mailmanctl.orig -+++ bin/mailmanctl -@@ -417,6 +417,11 @@ def main(): - # won't be opening any terminal devices, don't do the ultra-paranoid - # suggestion of doing a second fork after the setsid() call. - os.setsid() -+ devnull = os.open('/dev/null', 0) -+ os.dup2(devnull, 0) -+ os.dup2(devnull, 1) -+ os.dup2(devnull, 2) -+ - # Instead of cd'ing to root, cd to the Mailman installation home - os.chdir(mm_cfg.PREFIX) - # Set our file mode creation umask -Index: misc/Makefile.in -=================================================================== ---- misc/Makefile.in.orig +--- misc/Makefile.in +++ misc/Makefile.in -@@ -47,10 +47,11 @@ SCRIPTSDIR= $(prefix)/scripts +@@ -47,9 +47,9 @@ SHELL= /bin/sh PYTHONLIBDIR= $(prefix)/pythonlib -SETUPINSTOPTS= --install-lib $(DESTDIR)$(PYTHONLIBDIR) \ - --install-purelib $(DESTDIR)$(PYTHONLIBDIR) \ - --install-data $(DESTDIR)$(PYTHONLIBDIR) --SETUPCMD= setup.py --quiet install $(SETUPINSTOPTS) -+SETUPINSTOPTS= --root=$(DESTDIR) \ -+ --install-lib $(PYTHONLIBDIR) \ ++SETUPINSTOPTS= --root=$(DESTDIR) --install-lib $(PYTHONLIBDIR) \ + --install-purelib $(PYTHONLIBDIR) \ + --install-data $(PYTHONLIBDIR) -+SETUPCMD= setup.py install $(SETUPINSTOPTS) + SETUPCMD= setup.py --quiet install $(SETUPINSTOPTS) PKGDIR= $(srcdir) - EMAILPKG= email-2.5.8 ++++++ mailman-2.1.11.tgz -> mailman-2.1.14.tgz ++++++ old-versions/11.3/all/mailman/mailman-2.1.11.tgz 11.3/mailman/mailman-2.1.14.tgz differ: char 5, line 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org