Hello community, here is the log from the commit of package mailman for openSUSE:11.2 checked in at Tue Apr 26 14:32:18 CEST 2011. -------- --- old-versions/11.2/UPDATES/all/mailman/mailman.changes 2009-11-30 18:53:51.000000000 +0100 +++ 11.2/mailman/mailman.changes 2011-04-22 14:24:37.000000000 +0200 @@ -1,0 +2,11 @@ +Tue Apr 19 15:58:22 UTC 2011 - jmatejek@novell.com + +- update to 2.1.14 + * fixes many outstanding bugs + * fixes two potential XSS vulnerabilities, CVE-2010-3089 and CVE-2010-3090 + (bnc#637295) +- fixed another XSS, CVE-2011-0707 bnc#671745 +- patch cleanup +- fixed problem with editing archives (bnc#621104) + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 Old: ---- mailman-2.1.12.tgz mailman-2.1.3-editarch.patch mailman-2.1.3-misc-PACKAGES.diff mailman-2.1.3-python.dif mailman-2.1.4-avoid-headerfolding-python21.diff minmem New: ---- mailman-2.1.14-CVE-2011-0707.patch mailman-2.1.14-editarch.patch mailman-2.1.14-misc-PACKAGES.diff mailman-2.1.14-python.dif mailman-2.1.14.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailman.spec ++++++ --- /var/tmp/diff_new_pack.IrgQ3H/_old 2011-04-26 14:31:10.000000000 +0200 +++ /var/tmp/diff_new_pack.IrgQ3H/_new 2011-04-26 14:31:10.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package mailman (Version 2.1.12) +# spec file for package mailman # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,8 +30,8 @@ PreReq: /usr/sbin/useradd /usr/sbin/groupadd /bin/echo /bin/cp /bin/rm /bin/mkdir /usr/bin/awk /usr/bin/touch /usr/bin/getent openssl PreReq: permissions Summary: The GNU Mailing List Manager -Version: 2.1.12 -Release: 0.<RELEASE1> +Version: 2.1.14 +Release: 9.<RELEASE2> Source: %{name}-%{version}.tgz Source1: README.SuSE Source2: mailman-2.1-manpages.tgz @@ -52,13 +52,12 @@ %else Patch2: mailman-SuSE.patch %endif -Patch3: mailman-2.1.3-python.dif -Patch5: mailman-2.1.3-editarch.patch -Patch6: mailman-2.1.3-misc-PACKAGES.diff +Patch3: mailman-2.1.14-python.dif +Patch5: mailman-2.1.14-editarch.patch +Patch6: mailman-2.1.14-misc-PACKAGES.diff Patch7: mailman-2.1.2-list_lists.patch Patch10: mailman-2.1.4-dirmode.patch Patch11: mailman-2.1.4-notavaliduser.patch -Patch15: mailman-2.1.4-avoid-headerfolding-python21.diff Patch17: mailman-weak-password.diff Patch18: mailman-2.1.5-no_extra_asian.dif Patch19: mailman-python24.patch @@ -66,6 +65,8 @@ %else Patch20: mailman-SuSE2.patch %endif +Patch21: mailman-2.1.14-CVE-2011-0707.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %define m_uid 72 %define m_gid 67 @@ -98,10 +99,10 @@ %patch7 %patch10 -p1 %patch11 -p1 -%patch15 -p1 %patch17 -p1 %patch18 %patch19 +%patch21 %if %DISTRIBUTABLE %else %patch20 ++++++ mailman-2.1.14-CVE-2011-0707.patch ++++++ === modified file 'Mailman/Cgi/confirm.py' --- Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +0000 +++ Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +0000 @@ -471,7 +471,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) table.AddRow([_("""Your confirmation is required in order to complete the unsubscription request from the mailing list <em>%(listname)s</em>. You are currently subscribed with @@ -573,7 +573,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) if globally: globallys = _('globally') else: @@ -814,7 +814,7 @@ if username is None: username = _('<em>not available</em>') else: - username = Utils.uncanonstr(username, lang) + username = Utils.websafe(Utils.uncanonstr(username, lang)) table.AddRow([_("""Your membership in the %(realname)s mailing list is currently disabled due to excessive bounces. Your confirmation is ++++++ mailman-2.1.3-editarch.patch -> mailman-2.1.14-editarch.patch ++++++ --- old-versions/11.2/UPDATES/all/mailman/mailman-2.1.3-editarch.patch 2008-08-28 02:12:14.000000000 +0200 +++ 11.2/mailman/mailman-2.1.14-editarch.patch 2011-04-22 14:22:27.000000000 +0200 @@ -1,6 +1,8 @@ ---- mailman-2.1.11/Mailman/Cgi/admin.py -+++ mailman-2.1.11/Mailman/Cgi/admin.py -@@ -414,6 +414,8 @@ +Index: mailman-2.1.14/Mailman/Cgi/admin.py +=================================================================== +--- mailman-2.1.14.orig/Mailman/Cgi/admin.py ++++ mailman-2.1.14/Mailman/Cgi/admin.py +@@ -416,6 +416,8 @@ def show_results(mlist, doc, category, s _('Go to the general list information page'))) otherlinks.AddItem(Link(mlist.GetScriptURL('edithtml'), _('Edit the public HTML pages and text files'))) @@ -9,8 +11,10 @@ otherlinks.AddItem(Link(mlist.GetBaseArchiveURL(), _('Go to list archives')).Format() + '<br> <br>') ---- mailman-2.1.11/Mailman/Cgi/editarch.py -+++ mailman-2.1.11/Mailman/Cgi/editarch.py +Index: mailman-2.1.14/Mailman/Cgi/editarch.py +=================================================================== +--- /dev/null ++++ mailman-2.1.14/Mailman/Cgi/editarch.py @@ -0,0 +1,509 @@ +# Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc. @@ -288,7 +292,7 @@ + l = Link(mlist.GetScriptURL('editarch'), _('Back to main overview')) + doc.AddItem(l) + -+# Display list of months containing messages in the archive ++# Display list of months containing messages in the archive +def DisplayMonthOverview(mlist, mbox, doc): + counter = 1 + inc = 100 @@ -383,7 +387,7 @@ + for l in m.headers: + warchfile.write(l) + warchfile.write('\n') -+ warchfile.write(m.fp.read()) ++ warchfile.write(m.fp.read()) + counter += 1 + + if lock_file: @@ -444,7 +448,7 @@ +# Make a human-readable Month YYYY from month and year numbers +def MakeDateString(year, month): + try: -+ date = time.strptime(str(year) + str(month), "%Y %m") ++ date = time.strptime(str(year) + " " + str(month), "%Y %m") + datestr = _(time.strftime("%B %Y", date)) + return datestr + except ValueError: @@ -521,9 +525,11 @@ + for thing, repl in repls: + s = s.replace(thing, repl) + return Utils.uncanonstr(s, lang) ---- mailman-2.1.11/Mailman/Defaults.py.in -+++ mailman-2.1.11/Mailman/Defaults.py.in -@@ -1352,6 +1352,10 @@ +Index: mailman-2.1.14/Mailman/Defaults.py.in +=================================================================== +--- mailman-2.1.14.orig/Mailman/Defaults.py.in ++++ mailman-2.1.14/Mailman/Defaults.py.in +@@ -1390,6 +1390,10 @@ PIDFILE = os.path.join(DATA_DIR, 'master SITE_PW_FILE = os.path.join(DATA_DIR, 'adm.pw') LISTCREATOR_PW_FILE = os.path.join(DATA_DIR, 'creator.pw') @@ -534,9 +540,11 @@ # Import a bunch of version numbers from Version import * ---- mailman-2.1.11/configure -+++ mailman-2.1.11/configure -@@ -4254,6 +4254,7 @@ +Index: mailman-2.1.14/configure +=================================================================== +--- mailman-2.1.14.orig/configure ++++ mailman-2.1.14/configure +@@ -5029,6 +5029,7 @@ build/cron/cull_bad_shunt:cron/cull_bad_ build/cron/disabled:cron/disabled \ build/cron/gate_news:cron/gate_news \ build/cron/mailpasswds:cron/mailpasswds \ @@ -544,9 +552,11 @@ build/cron/nightly_gzip:cron/nightly_gzip \ build/cron/senddigests:cron/senddigests \ " ---- mailman-2.1.11/configure.in -+++ mailman-2.1.11/configure.in -@@ -597,6 +597,7 @@ +Index: mailman-2.1.14/configure.in +=================================================================== +--- mailman-2.1.14.orig/configure.in ++++ mailman-2.1.14/configure.in +@@ -688,6 +688,7 @@ cron/cull_bad_shunt \ cron/disabled \ cron/gate_news \ cron/mailpasswds \ @@ -554,9 +564,11 @@ cron/nightly_gzip \ cron/senddigests \ ]) ---- mailman-2.1.11/cron/Makefile.in -+++ mailman-2.1.11/cron/Makefile.in -@@ -42,7 +42,7 @@ +Index: mailman-2.1.14/cron/Makefile.in +=================================================================== +--- mailman-2.1.14.orig/cron/Makefile.in ++++ mailman-2.1.14/cron/Makefile.in +@@ -42,7 +42,7 @@ CRONDIR= $(prefix)/cron SHELL= /bin/sh PROGRAMS= checkdbs mailpasswds senddigests gate_news \ @@ -565,8 +577,10 @@ FILES= crontab.in BUILDDIR= ../build/cron ---- mailman-2.1.11/cron/crontab.in.in -+++ mailman-2.1.11/cron/crontab.in.in +Index: mailman-2.1.14/cron/crontab.in.in +=================================================================== +--- mailman-2.1.14.orig/cron/crontab.in.in ++++ mailman-2.1.14/cron/crontab.in.in @@ -25,3 +25,7 @@ # # At 4:30AM daily, cull old entries from the 'bad' and 'shunt' queues. @@ -575,8 +589,10 @@ +# At 3:57am every night, reprocess archives that have been edited. +57 3 * * * @PYTHON@ -S @prefix@/cron/nightly_archives + ---- mailman-2.1.11/cron/nightly_archives -+++ mailman-2.1.11/cron/nightly_archives +Index: mailman-2.1.14/cron/nightly_archives +=================================================================== +--- /dev/null ++++ mailman-2.1.14/cron/nightly_archives @@ -0,0 +1,126 @@ +#! @PYTHON@ +# @@ -704,9 +720,11 @@ + +if __name__ == '__main__': + main() ---- mailman-2.1.11/src/Makefile.in -+++ mailman-2.1.11/src/Makefile.in -@@ -70,7 +70,7 @@ +Index: mailman-2.1.14/src/Makefile.in +=================================================================== +--- mailman-2.1.14.orig/src/Makefile.in ++++ mailman-2.1.14/src/Makefile.in +@@ -70,7 +70,7 @@ DIRSETGID= chmod g+s # Fixed definitions ++++++ mailman-2.1.3-misc-PACKAGES.diff -> mailman-2.1.14-misc-PACKAGES.diff ++++++ --- old-versions/11.2/UPDATES/all/mailman/mailman-2.1.3-misc-PACKAGES.diff 2006-06-23 11:10:35.000000000 +0200 +++ 11.2/mailman/mailman-2.1.14-misc-PACKAGES.diff 2010-11-15 10:49:14.000000000 +0100 @@ -1,6 +1,6 @@ ---- mailman-2.1.4/Makefile.in -+++ mailman-2.1.4/Makefile.in -@@ -125,6 +125,7 @@ +--- mailman-2.1.11.orig/Makefile.in ++++ mailman-2.1.11/Makefile.in +@@ -125,6 +125,7 @@ doinstall: $(SUBDIRS) (cd $$d; $(MAKE) DESTDIR=$(DESTDIR) install); \ done $(PYTHON) -c 'from compileall import *; compile_dir("$(DESTDIR)$(prefix)/Mailman",ddir="$(prefix)/Mailman")' @@ -8,11 +8,11 @@ # Only run bin/update if we aren't installing in DESTDIR, as this # means there are probably no lists to deal with, and it wouldn't ---- mailman-2.1.4/misc/Makefile.in -+++ mailman-2.1.4/misc/Makefile.in +--- mailman-2.1.14/misc/Makefile.in 2010-09-20 20:18:27.000000000 +0200 ++++ mailman-2.1.14/misc/Makefile.in 2010-11-15 10:34:50.013318554 +0100 @@ -57,7 +57,7 @@ - JACODECSPKG= JapaneseCodecs-1.4.10 - KOCODECSPKG= KoreanCodecs-2.0.5 + JACODECSPKG= @JACODECSPKG@ + KOCODECSPKG= @KOCODECSPKG@ -PACKAGES= $(EMAILPKG) $(JACODECSPKG) $(KOCODECSPKG) +PACKAGES= $(EMAILPKG) ++++++ mailman-2.1.3-python.dif -> mailman-2.1.14-python.dif ++++++ --- old-versions/11.2/UPDATES/all/mailman/mailman-2.1.3-python.dif 2006-06-23 11:10:34.000000000 +0200 +++ 11.2/mailman/mailman-2.1.14-python.dif 2010-11-15 10:49:14.000000000 +0100 @@ -1,6 +1,8 @@ ---- Mailman/Defaults.py.in +Index: Mailman/Defaults.py.in +=================================================================== +--- Mailman/Defaults.py.in.orig +++ Mailman/Defaults.py.in -@@ -83,8 +83,8 @@ +@@ -83,8 +83,8 @@ MAILMAN_URL = 'http://www.gnu.org/softwa # add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) # # because otherwise the default mappings won't be correct. @@ -11,7 +13,7 @@ DEFAULT_URL_PATTERN = 'http://%s/mailman/' # DEFAULT_HOST_NAME has been replaced with DEFAULT_EMAIL_HOST, however some -@@ -1136,8 +1136,8 @@ +@@ -1237,8 +1237,8 @@ if EXEC_PREFIX == '${prefix}': CGIEXT = '@CGIEXT@' # Group id that group-owns the Mailman installation @@ -22,9 +24,11 @@ # Enumeration for Mailman cgi widget types Toggle = 1 ---- Makefile.in +Index: Makefile.in +=================================================================== +--- Makefile.in.orig +++ Makefile.in -@@ -124,7 +124,7 @@ +@@ -124,7 +124,7 @@ doinstall: $(SUBDIRS) do \ (cd $$d; $(MAKE) DESTDIR=$(DESTDIR) install); \ done @@ -33,35 +37,18 @@ # Only run bin/update if we aren't installing in DESTDIR, as this # means there are probably no lists to deal with, and it wouldn't ---- bin/mailmanctl -+++ bin/mailmanctl -@@ -415,6 +415,11 @@ - # won't be opening any terminal devices, don't do the ultra-paranoid - # suggestion of doing a second fork after the setsid() call. - os.setsid() -+ devnull = os.open('/dev/null', 0) -+ os.dup2(devnull, 0) -+ os.dup2(devnull, 1) -+ os.dup2(devnull, 2) -+ - # Instead of cd'ing to root, cd to the Mailman installation home - os.chdir(mm_cfg.PREFIX) - # Clear our file mode creation umask --- misc/Makefile.in +++ misc/Makefile.in -@@ -46,10 +46,11 @@ +@@ -47,9 +47,9 @@ SHELL= /bin/sh PYTHONLIBDIR= $(prefix)/pythonlib -SETUPINSTOPTS= --install-lib $(DESTDIR)$(PYTHONLIBDIR) \ - --install-purelib $(DESTDIR)$(PYTHONLIBDIR) \ - --install-data $(DESTDIR)$(PYTHONLIBDIR) --SETUPCMD= setup.py --quiet install $(SETUPINSTOPTS) -+SETUPINSTOPTS= --root=$(DESTDIR) \ -+ --install-lib $(PYTHONLIBDIR) \ ++SETUPINSTOPTS= --root=$(DESTDIR) --install-lib $(PYTHONLIBDIR) \ + --install-purelib $(PYTHONLIBDIR) \ + --install-data $(PYTHONLIBDIR) -+SETUPCMD= setup.py install $(SETUPINSTOPTS) + SETUPCMD= setup.py --quiet install $(SETUPINSTOPTS) PKGDIR= $(srcdir) - EMAILPKG= email-2.5.4 ++++++ mailman-2.1.12.tgz -> mailman-2.1.14.tgz ++++++ old-versions/11.2/UPDATES/all/mailman/mailman-2.1.12.tgz 11.2/mailman/mailman-2.1.14.tgz differ: char 5, line 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org