Upgrade to 2.1.7nb1.

Local change (which is why we have PKGREVISION=1)
Fix http://secunia.com/advisories/18449/ (CVE-2005-4153) based on debian
patches.

Changes between 2.1.6 and 2.1.7:
  Security

    - The fix for CAN-2005-0202 has been enhanced to issue an appropriate
      message instead of just quietly dropping ./ and ../ from URLs.

    - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
      been solved in Mailman 2.1.6, there may be more cases where
      ToDigest.send_digests() can block regular delivery.  We put the
      send_digests() calling part in a try/except clause and leave a message
      in the error log if something happened in send_digests().  Daily call of
      cron/senddigests will provide more detail to the site administrator.

    - List administrators can no longer change the user's option/subscription
      globally.  Site admin can change these only if
      mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.

    - <script> tags are HTML-escaped in the edithtml CGI script.

    - Since the probe message for disabled users may reach unintended
      recipients, the password is excluded from sendProbe() and probe.txt.
      Note that the default value of VERP_PROBE has been set to `No' from
      2.1.6., thus this change doesn't affect the default behavior.
  New Features

    - Always remove DomainKey (and similar) headers from messages sent to the
      list. (1287546)

    - List owners can control the content filter behavior when collapsing
      multipart/alternative parts to its first subpart.  This allows the
      option of letting the HTML part pass through after other content
      filtering is done.

  Internationalization

    - New language: Interlingua.

  Bug fixes and other patches

    - Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
      safer operation.

    - Fixed the bug where Scrubber.py munges quoted-printable by introducing
      the 'X-Mailman-Scrubbed' header which marks that the payload is
      scrubber-munged.  The flag is referenced in ToDigest.py, ToArchive.py,
      Decorate.py and Archiver.  A similar problem in ToDigest.py where the
      plain digest is generated is also fixed.

    - Fixed Syslog.py to write quopri encoded messages when it fail to write
      8-bit characters.

    - Fixed MTA/Postfix.py to check aliases group permission in check_perms
      and fixed mailman-install document on this matter (1378270).

    - Fixed private.py to go to the original URL after authorization
      (1080943).

    - Fixed bounce log score messages to be more consistent.

    - Fixed bin/remove_members to accept no arguments when both --fromall and
      --file= options are specified.

    - Changed cgi-bin and mail wrapper "group not found" error message to be
      more descriptive of the actual problem.
    - The list's ban_list now applies to address changes, admin mass
      subscribes and invites, and to confirmations/approvals of address
      changes, subscriptions and invitations.

    - quoted-printable and base64 encoded parts are decoded before passing to
      HTML_TO_PLAIN_TEXT_COMMAND (1367783).

    - Approve: header is removed from posts, and treated the same as the
      Approved: header. (1355707)

    - Fixed the removal of the line following Approve[d]: line in body of
      post.  (1318883)

    - The Approve[d]: <password> header is removed from all text/* parts in
      addition the initial text/plain part.  It must still be the first
      non-blank line in the first text/plain part or it won't be found or
      removed at all. (1181161)

    - Posts are now logged in post log file with the true sender, not
      listname-bounces. (1287921)
    - Correctly initialize and remember the list's default_member_moderation
      attribute in the web list creation page. (1263213)

    - PEP263 charset is added to the config_list output. (1343100)

    - Fixed header_filter_rules getting lost if accessed directly and
      authentication was needed by login page. (1230865)

    - Obscure email when the poster doesn't set full name in 'From:' header.

    - Preambles and epilogues are taken into account when calculating message
      sizes for holding purposes. (Mark Sapiro)

    - Logging/Logger.py unicode transform option. (1235567)

    - bin/update crashes with bogus files. (949117)

    - Bugs and patches: 1212066/1301983 (Date header in create/remove notice)

1 files changed, 0 insertions, 56 deletions

diff --git a/mail/mailman/patches/patch-ac b/mail/mailman/patches/patch-ac
deleted file mode 100644
index 89e3a81148e..00000000000
--- a/mail/mailman/patches/patch-ac
+++ /dev/null
@@ -1,56 +0,0 @@
-$NetBSD: patch-ac,v 1.5 2005/12/08 21:09:04 bouyer Exp $
-
-Fix for http://secunia.com/advisories/17511/ adapted from
-http://ftp.debian.org/debian/pool/main/m/mailman/mailman_2.1.5-10.diff.gz
-
---- Mailman/Handlers/Scrubber.py.orig	2005-05-22 22:55:08.000000000 +0300
-+++ Mailman/Handlers/Scrubber.py	2005-12-05 12:58:43.000000000 +0200
-@@ -195,7 +195,10 @@ def process(mlist, msg, msgdata=None):
-                     url = save_attachment(mlist, part, dir)
-                 finally:
-                     os.umask(omask)
--                filename = part.get_filename(_('not available'))
-+                try:
-+                    filename = part.get_filename(_('not available'))
-+                except UnicodeDecodeError:
-+                    filename = _('not available')
-                 filename = Utils.oneline(filename, lcset)
-                 del part['content-type']
-                 del part['content-transfer-encoding']
-@@ -300,7 +303,10 @@ Url: %(url)s
-             finally:
-                 os.umask(omask)
-             desc = part.get('content-description', _('not available'))
--            filename = part.get_filename(_('not available'))
-+            try:
-+                filename = part.get_filename(_('not available'))
-+            except UnicodeDecodeError:
-+                filename = _('not available')
-             filename = Utils.oneline(filename, lcset)
-             del part['content-type']
-             del part['content-transfer-encoding']
-@@ -408,7 +414,11 @@ def save_attachment(mlist, msg, dir, fil
-     ctype = msg.get_content_type()
-     # i18n file name is encoded
-     lcset = Utils.GetCharSet(mlist.preferred_language)
--    filename = Utils.oneline(msg.get_filename(''), lcset)
-+    try:
-+        filename = msg.get_filename('')
-+    except UnicodeDecodeError:
-+        filename = ''
-+    filename = Utils.oneline(filename, lcset)
-     fnext = os.path.splitext(filename)[1]
-     # For safety, we should confirm this is valid ext for content-type
-     # but we can use fnext if we introduce fnext filtering
-@@ -434,7 +444,10 @@ def save_attachment(mlist, msg, dir, fil
-     try:
-         # Now base the filename on what's in the attachment, uniquifying it if
-         # necessary.
--        filename = msg.get_filename()
-+        try:
-+            filename = msg.get_filename()
-+        except UnicodeDecodeError:
-+            filename = None
-         if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME:
-             filebase = 'attachment'
-         else: