Hello community, here is the log from the commit of package mailman for openSUSE:11.4 checked in at Sun Feb 27 12:56:39 CET 2011. -------- --- old-versions/11.4/all/mailman/mailman.changes 2010-11-15 10:49:19.000000000 +0100 +++ 11.4/mailman/mailman.changes 2011-02-23 19:43:22.000000000 +0100 @@ -1,0 +2,5 @@ +Wed Feb 23 19:42:27 CET 2011 - matejcik@suse.cz + +- fixed a XSS vulnerability in confirm.py (CVE-2011-0707, bnc#671745) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 Old: ---- minmem New: ---- mailman-2.1.14-CVE-2011-0707.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailman.spec ++++++ --- /var/tmp/diff_new_pack.a9V76A/_old 2011-02-27 12:55:41.000000000 +0100 +++ /var/tmp/diff_new_pack.a9V76A/_new 2011-02-27 12:55:41.000000000 +0100 @@ -31,7 +31,7 @@ PreReq: permissions Summary: The GNU Mailing List Manager Version: 2.1.14 -Release: 1 +Release: 4.<RELEASE2> Source: %{name}-%{version}.tgz Source1: README.SuSE Source2: mailman-2.1-manpages.tgz @@ -65,6 +65,7 @@ %else Patch20: mailman-SuSE2.patch %endif +Patch21: mailman-2.1.14-CVE-2011-0707.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define m_uid 72 %define m_gid 67 @@ -104,6 +105,7 @@ %else %patch20 %endif +%patch21 cp -av %{S:1} . # ---------------------------------------------------------------------------- ++++++ mailman-2.1.14-CVE-2011-0707.patch ++++++ === modified file 'Mailman/Cgi/confirm.py' --- Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +0000 +++ Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +0000 @@ -471,7 +471,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) table.AddRow([_("""Your confirmation is required in order to complete the unsubscription request from the mailing list <em>%(listname)s</em>. You are currently subscribed with @@ -573,7 +573,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) if globally: globallys = _('globally') else: @@ -814,7 +814,7 @@ if username is None: username = _('<em>not available</em>') else: - username = Utils.uncanonstr(username, lang) + username = Utils.websafe(Utils.uncanonstr(username, lang)) table.AddRow([_("""Your membership in the %(realname)s mailing list is currently disabled due to excessive bounces. Your confirmation is ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org