diff options
| author | bouyer <bouyer> | 2006-01-21 16:14:24 +0000 |
|---|---|---|
| committer | bouyer <bouyer> | 2006-01-21 16:14:24 +0000 |
| commit | 1c27810be4547b5983b4cbfc43fa9c202ad55556 (patch) | |
| tree | 3ad848037d5124855a06aa11c8338303d2950a2e /mail | |
| parent | 970f6f888bd221bb6354fe60bf1e7d3de9def5ab (diff) | |
| download | pkgsrc-1c27810be4547b5983b4cbfc43fa9c202ad55556.tar.gz | |
Upgrade to 2.1.7nb1.
Local change (which is why we have PKGREVISION=1)
Fix http://secunia.com/advisories/18449/ (CVE-2005-4153) based on debian
patches.
Changes between 2.1.6 and 2.1.7:
Security
- The fix for CAN-2005-0202 has been enhanced to issue an appropriate
message instead of just quietly dropping ./ and ../ from URLs.
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
been solved in Mailman 2.1.6, there may be more cases where
ToDigest.send_digests() can block regular delivery. We put the
send_digests() calling part in a try/except clause and leave a message
in the error log if something happened in send_digests(). Daily call of
cron/senddigests will provide more detail to the site administrator.
- List administrators can no longer change the user's option/subscription
globally. Site admin can change these only if
mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.
- <script> tags are HTML-escaped in the edithtml CGI script.
- Since the probe message for disabled users may reach unintended
recipients, the password is excluded from sendProbe() and probe.txt.
Note that the default value of VERP_PROBE has been set to `No' from
2.1.6., thus this change doesn't affect the default behavior.
New Features
- Always remove DomainKey (and similar) headers from messages sent to the
list. (1287546)
- List owners can control the content filter behavior when collapsing
multipart/alternative parts to its first subpart. This allows the
option of letting the HTML part pass through after other content
filtering is done.
Internationalization
- New language: Interlingua.
Bug fixes and other patches
- Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
safer operation.
- Fixed the bug where Scrubber.py munges quoted-printable by introducing
the 'X-Mailman-Scrubbed' header which marks that the payload is
scrubber-munged. The flag is referenced in ToDigest.py, ToArchive.py,
Decorate.py and Archiver. A similar problem in ToDigest.py where the
plain digest is generated is also fixed.
- Fixed Syslog.py to write quopri encoded messages when it fail to write
8-bit characters.
- Fixed MTA/Postfix.py to check aliases group permission in check_perms
and fixed mailman-install document on this matter (1378270).
- Fixed private.py to go to the original URL after authorization
(1080943).
- Fixed bounce log score messages to be more consistent.
- Fixed bin/remove_members to accept no arguments when both --fromall and
--file= options are specified.
- Changed cgi-bin and mail wrapper "group not found" error message to be
more descriptive of the actual problem.
- The list's ban_list now applies to address changes, admin mass
subscribes and invites, and to confirmations/approvals of address
changes, subscriptions and invitations.
- quoted-printable and base64 encoded parts are decoded before passing to
HTML_TO_PLAIN_TEXT_COMMAND (1367783).
- Approve: header is removed from posts, and treated the same as the
Approved: header. (1355707)
- Fixed the removal of the line following Approve[d]: line in body of
post. (1318883)
- The Approve[d]: <password> header is removed from all text/* parts in
addition the initial text/plain part. It must still be the first
non-blank line in the first text/plain part or it won't be found or
removed at all. (1181161)
- Posts are now logged in post log file with the true sender, not
listname-bounces. (1287921)
- Correctly initialize and remember the list's default_member_moderation
attribute in the web list creation page. (1263213)
- PEP263 charset is added to the config_list output. (1343100)
- Fixed header_filter_rules getting lost if accessed directly and
authentication was needed by login page. (1230865)
- Obscure email when the poster doesn't set full name in 'From:' header.
- Preambles and epilogues are taken into account when calculating message
sizes for holding purposes. (Mark Sapiro)
- Logging/Logger.py unicode transform option. (1235567)
- bin/update crashes with bogus files. (949117)
- Bugs and patches: 1212066/1301983 (Date header in create/remove notice)
Diffstat (limited to 'mail')
| -rw-r--r-- | mail/mailman/Makefile | 7 | ||||
| -rw-r--r-- | mail/mailman/PLIST | 51 | ||||
| -rw-r--r-- | mail/mailman/distinfo | 11 | ||||
| -rw-r--r-- | mail/mailman/patches/patch-ac | 56 | ||||
| -rw-r--r-- | mail/mailman/patches/patch-ai | 17 | ||||
| -rw-r--r-- | mail/mailman/patches/patch-aj | 17 |
6 files changed, 93 insertions, 66 deletions
diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index c950e9e6815..bd3f10c9936 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.29 2006/01/20 23:33:24 joerg Exp $ +# $NetBSD: Makefile,v 1.30 2006/01/21 16:14:24 bouyer Exp $ -DISTNAME= mailman-2.1.6 +DISTNAME= mailman-2.1.7 PKGREVISION= 1 CATEGORIES= mail www -MASTER_SITES= http://www.list.org/ \ - ${MASTER_SITE_GNU:=mailman/} +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mailman/} EXTRACT_SUFX= .tgz MAINTAINER= bouyer@NetBSD.org diff --git a/mail/mailman/PLIST b/mail/mailman/PLIST index 3fbcd0378c4..c45def91c7b 100644 --- a/mail/mailman/PLIST +++ b/mail/mailman/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.8 2005/06/01 23:25:07 bouyer Exp $ +@comment $NetBSD: PLIST,v 1.9 2006/01/21 16:14:24 bouyer Exp $ lib/mailman/Mailman/Archiver/Archiver.py lib/mailman/Mailman/Archiver/Archiver.pyc lib/mailman/Mailman/Archiver/HyperArch.py @@ -380,6 +380,8 @@ lib/mailman/messages/hr/LC_MESSAGES/mailman.po lib/mailman/messages/hu/LC_MESSAGES/mailman.mo lib/mailman/messages/hu/LC_MESSAGES/mailman.po lib/mailman/messages/hu/README.hu +lib/mailman/messages/ia/LC_MESSAGES/mailman.mo +lib/mailman/messages/ia/LC_MESSAGES/mailman.po lib/mailman/messages/it/LC_MESSAGES/mailman.mo lib/mailman/messages/it/LC_MESSAGES/mailman.po lib/mailman/messages/it/README.it @@ -1077,6 +1079,50 @@ lib/mailman/templates/hu/unsub.txt lib/mailman/templates/hu/unsubauth.txt lib/mailman/templates/hu/userpass.txt lib/mailman/templates/hu/verify.txt +lib/mailman/templates/ia/admindbdetails.html +lib/mailman/templates/ia/admindbpreamble.html +lib/mailman/templates/ia/admindbsummary.html +lib/mailman/templates/ia/admlogin.html +lib/mailman/templates/ia/archidxentry.html +lib/mailman/templates/ia/archidxfoot.html +lib/mailman/templates/ia/archidxhead.html +lib/mailman/templates/ia/archlistend.html +lib/mailman/templates/ia/archliststart.html +lib/mailman/templates/ia/archtoc.html +lib/mailman/templates/ia/archtocentry.html +lib/mailman/templates/ia/archtocnombox.html +lib/mailman/templates/ia/article.html +lib/mailman/templates/ia/emptyarchive.html +lib/mailman/templates/ia/headfoot.html +lib/mailman/templates/ia/listinfo.html +lib/mailman/templates/ia/options.html +lib/mailman/templates/ia/private.html +lib/mailman/templates/ia/roster.html +lib/mailman/templates/ia/subscribe.html +lib/mailman/templates/ia/adminsubscribeack.txt +lib/mailman/templates/ia/adminunsubscribeack.txt +lib/mailman/templates/ia/approve.txt +lib/mailman/templates/ia/bounce.txt +lib/mailman/templates/ia/checkdbs.txt +lib/mailman/templates/ia/convert.txt +lib/mailman/templates/ia/cronpass.txt +lib/mailman/templates/ia/disabled.txt +lib/mailman/templates/ia/help.txt +lib/mailman/templates/ia/invite.txt +lib/mailman/templates/ia/masthead.txt +lib/mailman/templates/ia/newlist.txt +lib/mailman/templates/ia/nomoretoday.txt +lib/mailman/templates/ia/postack.txt +lib/mailman/templates/ia/postauth.txt +lib/mailman/templates/ia/postheld.txt +lib/mailman/templates/ia/probe.txt +lib/mailman/templates/ia/refuse.txt +lib/mailman/templates/ia/subauth.txt +lib/mailman/templates/ia/subscribeack.txt +lib/mailman/templates/ia/unsub.txt +lib/mailman/templates/ia/unsubauth.txt +lib/mailman/templates/ia/userpass.txt +lib/mailman/templates/ia/verify.txt lib/mailman/templates/it/admindbdetails.html lib/mailman/templates/it/admindbpreamble.html lib/mailman/templates/it/admindbsummary.html @@ -1910,6 +1956,7 @@ share/examples/rc.d/mailman @dirrm lib/mailman/templates/ko @dirrm lib/mailman/templates/ja @dirrm lib/mailman/templates/it +@dirrm lib/mailman/templates/ia @dirrm lib/mailman/templates/hu @dirrm lib/mailman/templates/hr @dirrm lib/mailman/templates/fr @@ -1975,6 +2022,8 @@ share/examples/rc.d/mailman @dirrm lib/mailman/messages/ja @dirrm lib/mailman/messages/it/LC_MESSAGES @dirrm lib/mailman/messages/it +@dirrm lib/mailman/messages/ia/LC_MESSAGES +@dirrm lib/mailman/messages/ia @dirrm lib/mailman/messages/hu/LC_MESSAGES @dirrm lib/mailman/messages/hu @dirrm lib/mailman/messages/hr/LC_MESSAGES diff --git a/mail/mailman/distinfo b/mail/mailman/distinfo index b9b11c6e421..1c9e4c639be 100644 --- a/mail/mailman/distinfo +++ b/mail/mailman/distinfo @@ -1,13 +1,14 @@ -$NetBSD: distinfo,v 1.9 2005/12/08 21:09:04 bouyer Exp $ +$NetBSD: distinfo,v 1.10 2006/01/21 16:14:24 bouyer Exp $ -SHA1 (mailman-2.1.6.tgz) = cfabc1629feba109f85e51b85c1f64e4491e7ac4 -RMD160 (mailman-2.1.6.tgz) = 37107687d49d2a67e788fd51e11df5cb4b4e7929 -Size (mailman-2.1.6.tgz) = 6482726 bytes +SHA1 (mailman-2.1.7.tgz) = f84b465dc03227f384ea902fca3d8396035bd9e2 +RMD160 (mailman-2.1.7.tgz) = 05eb4119c7fd4d1a3af00dc5b60601f4ee2896df +Size (mailman-2.1.7.tgz) = 6736536 bytes SHA1 (patch-aa) = f0bc550b28794008ea840a88a5b0053578f3ae0f SHA1 (patch-ab) = 39f6294e53110bd1fd09b1e90ab46820f4d48e3f -SHA1 (patch-ac) = e539f39a747beae22b07694196092c786318698d SHA1 (patch-ad) = 665884b9dd1789e4abd430c762bdbfd707d48d30 SHA1 (patch-ae) = 6c17de398014217be8f1c7a3b3a6f8d379fc0fb2 SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e SHA1 (patch-ag) = f94f190e69ce892841b88574ec8e9f100b182ed9 SHA1 (patch-ah) = 42296c52e30b1fcc1d42ef0f1b89c83414ca85df +SHA1 (patch-ai) = 9b54bd2326bd9e0bbce588fda2bf287a4c480295 +SHA1 (patch-aj) = eb4e78f817f6d2ddab9e60b4b1cf902e28391689 diff --git a/mail/mailman/patches/patch-ac b/mail/mailman/patches/patch-ac deleted file mode 100644 index 89e3a81148e..00000000000 --- a/mail/mailman/patches/patch-ac +++ /dev/null @@ -1,56 +0,0 @@ -$NetBSD: patch-ac,v 1.5 2005/12/08 21:09:04 bouyer Exp $ - -Fix for http://secunia.com/advisories/17511/ adapted from -http://ftp.debian.org/debian/pool/main/m/mailman/mailman_2.1.5-10.diff.gz - ---- Mailman/Handlers/Scrubber.py.orig 2005-05-22 22:55:08.000000000 +0300 -+++ Mailman/Handlers/Scrubber.py 2005-12-05 12:58:43.000000000 +0200 -@@ -195,7 +195,10 @@ def process(mlist, msg, msgdata=None): - url = save_attachment(mlist, part, dir) - finally: - os.umask(omask) -- filename = part.get_filename(_('not available')) -+ try: -+ filename = part.get_filename(_('not available')) -+ except UnicodeDecodeError: -+ filename = _('not available') - filename = Utils.oneline(filename, lcset) - del part['content-type'] - del part['content-transfer-encoding'] -@@ -300,7 +303,10 @@ Url: %(url)s - finally: - os.umask(omask) - desc = part.get('content-description', _('not available')) -- filename = part.get_filename(_('not available')) -+ try: -+ filename = part.get_filename(_('not available')) -+ except UnicodeDecodeError: -+ filename = _('not available') - filename = Utils.oneline(filename, lcset) - del part['content-type'] - del part['content-transfer-encoding'] -@@ -408,7 +414,11 @@ def save_attachment(mlist, msg, dir, fil - ctype = msg.get_content_type() - # i18n file name is encoded - lcset = Utils.GetCharSet(mlist.preferred_language) -- filename = Utils.oneline(msg.get_filename(''), lcset) -+ try: -+ filename = msg.get_filename('') -+ except UnicodeDecodeError: -+ filename = '' -+ filename = Utils.oneline(filename, lcset) - fnext = os.path.splitext(filename)[1] - # For safety, we should confirm this is valid ext for content-type - # but we can use fnext if we introduce fnext filtering -@@ -434,7 +444,10 @@ def save_attachment(mlist, msg, dir, fil - try: - # Now base the filename on what's in the attachment, uniquifying it if - # necessary. -- filename = msg.get_filename() -+ try: -+ filename = msg.get_filename() -+ except UnicodeDecodeError: -+ filename = None - if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME: - filebase = 'attachment' - else: diff --git a/mail/mailman/patches/patch-ai b/mail/mailman/patches/patch-ai new file mode 100644 index 00000000000..4669dc70fd1 --- /dev/null +++ b/mail/mailman/patches/patch-ai @@ -0,0 +1,17 @@ +$NetBSD: patch-ai,v 1.3 2006/01/21 16:14:24 bouyer Exp $ + +Fix for http://secunia.com/advisories/18449/. Adapted from +Adapted from +http://security.ubuntu.com/ubunt...mailman_2.1.5-8ubuntu2.1.diff.gz + +--- Mailman/Queue/ArchRunner.py.orig Sat Jan 21 15:51:14 2006 ++++ Mailman/Queue/ArchRunner.py Sat Jan 21 15:51:50 2006 +@@ -49,7 +49,7 @@ + elif abs(now - mktime_tz(tup)) > \ + mm_cfg.ARCHIVER_ALLOWABLE_SANE_DATE_SKEW: + clobber = 1 +- except ValueError: ++ except (OverflowError, ValueError): + # The likely cause of this is that the year in the Date: field + # is horribly incorrect, e.g. (from SF bug # 571634): + # Date: Tue, 18 Jun 0102 05:12:09 +0500 diff --git a/mail/mailman/patches/patch-aj b/mail/mailman/patches/patch-aj new file mode 100644 index 00000000000..dad31c74855 --- /dev/null +++ b/mail/mailman/patches/patch-aj @@ -0,0 +1,17 @@ +$NetBSD: patch-aj,v 1.1 2006/01/21 16:14:24 bouyer Exp $ + +Fix for http://secunia.com/advisories/18449/. Adapted from +Adapted from +http://security.ubuntu.com/ubunt...mailman_2.1.5-8ubuntu2.1.diff.gz + +--- Mailman/Handlers/Scrubber.py.orig Sat Jan 21 15:49:01 2006 ++++ Mailman/Handlers/Scrubber.py Sat Jan 21 15:50:36 2006 +@@ -143,7 +143,7 @@ + }.get(parts[3], 0) + day = int(parts[4]) + year = int(parts[6]) +- except (IndexError, ValueError): ++ except (OverflowError, IndexError, ValueError): + # Best we can do I think + month = day = year = 0 + datedir = '%04d%02d%02d' % (year, month, day) |