From 420fff3b88caaa7b982d283193b84ef1a4fd1490 Mon Sep 17 00:00:00 2001 From: tron Date: Sat, 25 Sep 2010 10:02:51 +0000 Subject: Pullup ticket #3229 - requested by taca mail/mailman: security patch Revisions pulled up: - mail/mailman/Makefile 1.62 - mail/mailman/distinfo 1.19 - mail/mailman/patches/patch-ak 1.1 - mail/mailman/patches/patch-al 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Sep 24 23:24:31 UTC 2010 Modified Files: pkgsrc/mail/mailman: Makefile distinfo Added Files: pkgsrc/mail/mailman/patches: patch-ak patch-al Log Message: Add patches to fix XSS (CVE-2010-3089). Bump PKGREVISION. --- mail/mailman/Makefile | 4 ++-- mail/mailman/distinfo | 4 +++- mail/mailman/patches/patch-ak | 15 +++++++++++++++ mail/mailman/patches/patch-al | 14 ++++++++++++++ 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 mail/mailman/patches/patch-ak create mode 100644 mail/mailman/patches/patch-al diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index fdaf3a8d0e5..8a3343b780e 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.60.4.1 2010/07/04 07:20:40 agc Exp $ +# $NetBSD: Makefile,v 1.60.4.2 2010/09/25 10:02:51 tron Exp $ DISTNAME= mailman-2.1.12 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mailman/} EXTRACT_SUFX= .tgz diff --git a/mail/mailman/distinfo b/mail/mailman/distinfo index e5d162158b9..2185610b905 100644 --- a/mail/mailman/distinfo +++ b/mail/mailman/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.17.10.1 2010/07/04 07:20:40 agc Exp $ +$NetBSD: distinfo,v 1.17.10.2 2010/09/25 10:02:51 tron Exp $ SHA1 (mailman-2.1.12.tgz) = 6d6281f7ce322e271f0259321f4d8931ff46e6ae RMD160 (mailman-2.1.12.tgz) = 94d8d132bb37180bf4c02ccd2a5fb3862ce13b94 @@ -10,3 +10,5 @@ SHA1 (patch-ae) = 6c17de398014217be8f1c7a3b3a6f8d379fc0fb2 SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e SHA1 (patch-ag) = 5fda86a90ef17a08c304ae89f0934812601d5dfc SHA1 (patch-ah) = c7cde35f787c003ace550a98d8d5e166ba2d48dc +SHA1 (patch-ak) = d010a4bb1d7468ddf02ff22dbb3662a41045f8a2 +SHA1 (patch-al) = e07e6b77b4fea57683f79807ad9b9b2677e56b9e diff --git a/mail/mailman/patches/patch-ak b/mail/mailman/patches/patch-ak new file mode 100644 index 00000000000..d777e85b8ff --- /dev/null +++ b/mail/mailman/patches/patch-ak @@ -0,0 +1,15 @@ +$NetBSD: patch-ak,v 1.1.2.2 2010/09/25 10:02:52 tron Exp $ + +* Fix for CVE-2010-3089 (XSS). + +--- Mailman/Cgi/listinfo.py.orig 2009-02-23 21:23:35.000000000 +0000 ++++ Mailman/Cgi/listinfo.py +@@ -93,7 +93,7 @@ def listinfo_overview(msg=''): + else: + advertised.append((mlist.GetScriptURL('listinfo'), + mlist.real_name, +- mlist.description)) ++ Utils.websafe(mlist.description))) + if msg: + greeting = FontAttr(msg, color="ff5060", size="+1") + else: diff --git a/mail/mailman/patches/patch-al b/mail/mailman/patches/patch-al new file mode 100644 index 00000000000..13f1e610127 --- /dev/null +++ b/mail/mailman/patches/patch-al @@ -0,0 +1,14 @@ +$NetBSD: patch-al,v 1.1.2.2 2010/09/25 10:02:52 tron Exp $ + +* Fix for CVE-2010-3089 (XSS). + +--- Mailman/Utils.py.orig 2009-02-23 21:23:35.000000000 +0000 ++++ Mailman/Utils.py +@@ -908,6 +908,7 @@ _badwords = [ + # Kludge to allow the specific tag that's in the options.html template. + ')', + '