diff --git a/.gitignore b/.gitignore index 02d184b..8cb743b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/mailman-2.1.29.tgz +SOURCES/mailman-2.1.30.tgz diff --git a/.mailman.metadata b/.mailman.metadata index 72eede2..6135313 100644 --- a/.mailman.metadata +++ b/.mailman.metadata @@ -1 +1 @@ -40fe97974a6f0805a01d55c6944565f238778238 SOURCES/mailman-2.1.29.tgz +01f3c33d057b771fd9bac3684f2f9be1d1000254 SOURCES/mailman-2.1.30.tgz diff --git a/SOURCES/mailman-CVE-2020-12137.patch b/SOURCES/mailman-CVE-2020-12137.patch deleted file mode 100644 index 09d4bc2..0000000 --- a/SOURCES/mailman-CVE-2020-12137.patch +++ /dev/null @@ -1,14 +0,0 @@ -=== modified file 'Mailman/Handlers/Scrubber.py' ---- Mailman/Handlers/Scrubber.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Handlers/Scrubber.py 2018-11-10 18:57:54 +0000 -@@ -87,6 +87,9 @@ - all = guess_all_extensions(ctype, strict=False) - if ext in all: - return ext -+ if ctype.lower == 'application/octet-stream': -+ # For this type, all[0] is '.obj'. '.bin' is better. -+ return '.bin' - return all and all[0] - - - diff --git a/SOURCES/mailman-CVE-2021-42096-2021-42097.patch b/SOURCES/mailman-CVE-2021-42096-2021-42097.patch index ee05f0a..13a2cfd 100644 --- a/SOURCES/mailman-CVE-2021-42096-2021-42097.patch +++ b/SOURCES/mailman-CVE-2021-42096-2021-42097.patch @@ -1,5 +1,5 @@ diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py -index a1e78d9..24e3e11 100644 +index a1e78d9..0940b7e 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -18,11 +18,13 @@ @@ -24,7 +24,7 @@ index a1e78d9..24e3e11 100644 + if user: + # Unmunge a munged email address. + user = UnobscureEmail(urllib.unquote(user)) -+ ++ for context in contexts: key, secret = mlist.AuthContextInfo(context, user) if key: @@ -58,7 +58,7 @@ index a1e78d9..24e3e11 100644 key, secret = mlist.AuthContextInfo(context, user) assert key diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py -index 386b308..980fc09 100644 +index ee2293e..472a02b 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -54,9 +54,6 @@ except NameError: @@ -87,8 +87,8 @@ index 386b308..980fc09 100644 # Set the language for the page. If we're coming from the listinfo cgi, # we might have a 'language' key in the cgi data. That was an explicit # preference to view the page in, so we should honor that here. If that's -@@ -168,6 +156,16 @@ def main(): - user = user[-1] +@@ -169,6 +157,16 @@ def main(): + user = user[-1].strip() # Avoid cross-site scripting attacks + if set(params) - set(safe_params): @@ -104,7 +104,7 @@ index 386b308..980fc09 100644 safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) -@@ -867,8 +865,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): +@@ -868,8 +866,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): mlist.FormatButton('othersubs', _('List my other subscriptions'))) replacements[''] = ( diff --git a/SOURCES/mailman-bouncer_oom_crash.patch b/SOURCES/mailman-bouncer_oom_crash.patch deleted file mode 100644 index 54da0c9..0000000 --- a/SOURCES/mailman-bouncer_oom_crash.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- Mailman/Bouncers/SimpleMatch.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 -@@ -25,6 +25,9 @@ - def _c(pattern): - return re.compile(pattern, re.IGNORECASE) - -+# Pattern to match any valid email address and not much more. -+VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') -+ - # This is a list of tuples of the form - # - # (start cre, end cre, address cre) -@@ -227,4 +230,4 @@ - break - if addrs: - break -- return addrs.keys() -+ return [x for x in addrs.keys() if VALID.match(x)] - -=== modified file 'Mailman/Bouncers/SimpleWarning.py' ---- Mailman/Bouncers/SimpleWarning.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Bouncers/SimpleWarning.py 2020-01-17 00:03:34 +0000 -@@ -17,9 +17,10 @@ - - """Recognizes simple heuristically delimited warnings.""" - -+import email -+ - from Mailman.Bouncers.BouncerAPI import Stop - from Mailman.Bouncers.SimpleMatch import _c --from Mailman.Bouncers.SimpleMatch import process as _process - - - -@@ -67,8 +68,25 @@ - - - def process(msg): -- if _process(msg, patterns): -- # It's a recognized warning so stop now -- return Stop -- else: -- return [] -+ # We used to just import process from SimpleMatch, but with the change in -+ # SimpleMatch to return only vaild addresses, that doesn't work any more. -+ # So, we copy most of the process from SimpleMatch here. -+ addrs = {} -+ for scre, ecre, acre in patterns: -+ state = 0 -+ for line in email.Iterators.body_line_iterator(msg, decode=True): -+ if state == 0: -+ if scre.search(line): -+ state = 1 -+ if state == 1: -+ mo = acre.search(line) -+ if mo: -+ addr = mo.group('addr') -+ if addr: -+ addrs[addr.strip('<>')] = 1 -+ elif ecre.search(line): -+ break -+ if addrs: -+ # It's a recognized warning so stop now -+ return Stop -+ return [] - ---- Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 -+++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 03:25:09 +0000 -@@ -26,7 +26,7 @@ - return re.compile(pattern, re.IGNORECASE) - - # Pattern to match any valid email address and not much more. --VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') -+VALID = _c(r'^[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+$') - - # This is a list of tuples of the form - # - diff --git a/SPECS/mailman.spec b/SPECS/mailman.spec index 18412e4..5108421 100644 --- a/SPECS/mailman.spec +++ b/SPECS/mailman.spec @@ -2,12 +2,12 @@ %global __os_install_post %(echo '%{__os_install_post}' | sed -e 's!/usr/lib[^[:space:]]*/brp-python-bytecompile[[:space:]].*$!!g') Summary: Mailing list manager with built in Web access Name: mailman -Version: 2.1.29 -Release: 12%{?dist}.2 +Version: 2.1.30 +Release: 1%{?dist} Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz -#Source0: http://prdownloads.sourceforge.net/mailman/mailman-%{version}.tgz +#Source0: http://prdownloads.sourceforge.net/mailman/mailman-%%{version}.tgz Source1: mm_cfg.py Source3: httpd-mailman.conf Source4: mailman.logrotate @@ -29,8 +29,6 @@ Patch13: mailman-2.1.9-unicode.patch Patch21: mailman-2.1.13-env-python.patch Patch22: mailman-2.1.15-check_perms.patch Patch24: mailman-specify_python_version.patch -Patch25: mailman-CVE-2020-12137.patch -Patch26: mailman-bouncer_oom_crash.patch Patch27: mailman-2.1.29-login_content_injection.patch Patch28: mailman-2.1.29-options_content_njection.patch Patch29: mailman-2.1.29-cmd_reply_encoding.patch @@ -124,8 +122,6 @@ additional installation steps, these are described in: %patch21 -p1 %patch22 -p1 %patch24 -p1 -b .python_version -%patch25 -p0 -b .cve_obj_mime -%patch26 -p0 -b .bouncer_match %patch27 -p0 -b .login_injection %patch28 -p0 -b .options_injection %patch29 -p0 -b .cmd_reply_encoding @@ -584,6 +580,10 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Wed Jul 26 2023 Martin Osvald - 3:2.1.30-1 +- New version 2.1.30 +- Fixes DMARC support (#2140631) + * Sun Nov 28 2021 Martin Osvald - 3:2.1.29-12.2 - Fix for CVE-2021-44227 - Resolves: #2026871