diff options
author | bouyer <bouyer@pkgsrc.org> | 2006-01-21 16:14:24 +0000 |
---|---|---|
committer | bouyer <bouyer@pkgsrc.org> | 2006-01-21 16:14:24 +0000 |
commit | 68085448cae7899b49e183af64bdd63072db6b55 (patch) | |
tree | 3ad848037d5124855a06aa11c8338303d2950a2e /mail/mailman/patches/patch-ac | |
parent | b278b9c73c87a62afe6d464194991e5b25b0342e (diff) | |
download | pkgsrc-68085448cae7899b49e183af64bdd63072db6b55.tar.gz |
Upgrade to 2.1.7nb1.
Local change (which is why we have PKGREVISION=1)
Fix http://secunia.com/advisories/18449/ (CVE-2005-4153) based on debian
patches.
Changes between 2.1.6 and 2.1.7:
Security
- The fix for CAN-2005-0202 has been enhanced to issue an appropriate
message instead of just quietly dropping ./ and ../ from URLs.
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
been solved in Mailman 2.1.6, there may be more cases where
ToDigest.send_digests() can block regular delivery. We put the
send_digests() calling part in a try/except clause and leave a message
in the error log if something happened in send_digests(). Daily call of
cron/senddigests will provide more detail to the site administrator.
- List administrators can no longer change the user's option/subscription
globally. Site admin can change these only if
mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.
- <script> tags are HTML-escaped in the edithtml CGI script.
- Since the probe message for disabled users may reach unintended
recipients, the password is excluded from sendProbe() and probe.txt.
Note that the default value of VERP_PROBE has been set to `No' from
2.1.6., thus this change doesn't affect the default behavior.
New Features
- Always remove DomainKey (and similar) headers from messages sent to the
list. (1287546)
- List owners can control the content filter behavior when collapsing
multipart/alternative parts to its first subpart. This allows the
option of letting the HTML part pass through after other content
filtering is done.
Internationalization
- New language: Interlingua.
Bug fixes and other patches
- Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
safer operation.
- Fixed the bug where Scrubber.py munges quoted-printable by introducing
the 'X-Mailman-Scrubbed' header which marks that the payload is
scrubber-munged. The flag is referenced in ToDigest.py, ToArchive.py,
Decorate.py and Archiver. A similar problem in ToDigest.py where the
plain digest is generated is also fixed.
- Fixed Syslog.py to write quopri encoded messages when it fail to write
8-bit characters.
- Fixed MTA/Postfix.py to check aliases group permission in check_perms
and fixed mailman-install document on this matter (1378270).
- Fixed private.py to go to the original URL after authorization
(1080943).
- Fixed bounce log score messages to be more consistent.
- Fixed bin/remove_members to accept no arguments when both --fromall and
--file= options are specified.
- Changed cgi-bin and mail wrapper "group not found" error message to be
more descriptive of the actual problem.
- The list's ban_list now applies to address changes, admin mass
subscribes and invites, and to confirmations/approvals of address
changes, subscriptions and invitations.
- quoted-printable and base64 encoded parts are decoded before passing to
HTML_TO_PLAIN_TEXT_COMMAND (1367783).
- Approve: header is removed from posts, and treated the same as the
Approved: header. (1355707)
- Fixed the removal of the line following Approve[d]: line in body of
post. (1318883)
- The Approve[d]: <password> header is removed from all text/* parts in
addition the initial text/plain part. It must still be the first
non-blank line in the first text/plain part or it won't be found or
removed at all. (1181161)
- Posts are now logged in post log file with the true sender, not
listname-bounces. (1287921)
- Correctly initialize and remember the list's default_member_moderation
attribute in the web list creation page. (1263213)
- PEP263 charset is added to the config_list output. (1343100)
- Fixed header_filter_rules getting lost if accessed directly and
authentication was needed by login page. (1230865)
- Obscure email when the poster doesn't set full name in 'From:' header.
- Preambles and epilogues are taken into account when calculating message
sizes for holding purposes. (Mark Sapiro)
- Logging/Logger.py unicode transform option. (1235567)
- bin/update crashes with bogus files. (949117)
- Bugs and patches: 1212066/1301983 (Date header in create/remove notice)
Diffstat (limited to 'mail/mailman/patches/patch-ac')
-rw-r--r-- | mail/mailman/patches/patch-ac | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/mail/mailman/patches/patch-ac b/mail/mailman/patches/patch-ac deleted file mode 100644 index 89e3a81148e..00000000000 --- a/mail/mailman/patches/patch-ac +++ /dev/null @@ -1,56 +0,0 @@ -$NetBSD: patch-ac,v 1.5 2005/12/08 21:09:04 bouyer Exp $ - -Fix for http://secunia.com/advisories/17511/ adapted from -http://ftp.debian.org/debian/pool/main/m/mailman/mailman_2.1.5-10.diff.gz - ---- Mailman/Handlers/Scrubber.py.orig 2005-05-22 22:55:08.000000000 +0300 -+++ Mailman/Handlers/Scrubber.py 2005-12-05 12:58:43.000000000 +0200 -@@ -195,7 +195,10 @@ def process(mlist, msg, msgdata=None): - url = save_attachment(mlist, part, dir) - finally: - os.umask(omask) -- filename = part.get_filename(_('not available')) -+ try: -+ filename = part.get_filename(_('not available')) -+ except UnicodeDecodeError: -+ filename = _('not available') - filename = Utils.oneline(filename, lcset) - del part['content-type'] - del part['content-transfer-encoding'] -@@ -300,7 +303,10 @@ Url: %(url)s - finally: - os.umask(omask) - desc = part.get('content-description', _('not available')) -- filename = part.get_filename(_('not available')) -+ try: -+ filename = part.get_filename(_('not available')) -+ except UnicodeDecodeError: -+ filename = _('not available') - filename = Utils.oneline(filename, lcset) - del part['content-type'] - del part['content-transfer-encoding'] -@@ -408,7 +414,11 @@ def save_attachment(mlist, msg, dir, fil - ctype = msg.get_content_type() - # i18n file name is encoded - lcset = Utils.GetCharSet(mlist.preferred_language) -- filename = Utils.oneline(msg.get_filename(''), lcset) -+ try: -+ filename = msg.get_filename('') -+ except UnicodeDecodeError: -+ filename = '' -+ filename = Utils.oneline(filename, lcset) - fnext = os.path.splitext(filename)[1] - # For safety, we should confirm this is valid ext for content-type - # but we can use fnext if we introduce fnext filtering -@@ -434,7 +444,10 @@ def save_attachment(mlist, msg, dir, fil - try: - # Now base the filename on what's in the attachment, uniquifying it if - # necessary. -- filename = msg.get_filename() -+ try: -+ filename = msg.get_filename() -+ except UnicodeDecodeError: -+ filename = None - if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME: - filebase = 'attachment' - else: |