From 80bf5e1ccc2c6b4588609b21aae01ede4657aa27 Mon Sep 17 00:00:00 2001 From: Martin Osvald Date: Thu, 27 Jul 2023 10:49:07 +0200 Subject: [PATCH] New version 2.1.30 --- .gitignore | 1 + .mailman.metadata | 1 + mailman-CVE-2020-12137.patch | 14 ----- mailman-CVE-2021-42096-2021-42097.patch | 12 ++-- mailman-bouncer_oom_crash.patch | 78 ------------------------- mailman.spec | 14 ++--- sources | 2 +- 7 files changed, 16 insertions(+), 106 deletions(-) create mode 100644 .mailman.metadata delete mode 100644 mailman-CVE-2020-12137.patch delete mode 100644 mailman-bouncer_oom_crash.patch diff --git a/.gitignore b/.gitignore index c007c3b..613f8be 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ SOURCES/mailman-2.1.29.tgz /mailman-2.1.29.tgz +/mailman-2.1.30.tgz diff --git a/.mailman.metadata b/.mailman.metadata new file mode 100644 index 0000000..999fd6b --- /dev/null +++ b/.mailman.metadata @@ -0,0 +1 @@ +01f3c33d057b771fd9bac3684f2f9be1d1000254 mailman-2.1.30.tgz diff --git a/mailman-CVE-2020-12137.patch b/mailman-CVE-2020-12137.patch deleted file mode 100644 index 09d4bc2..0000000 --- a/mailman-CVE-2020-12137.patch +++ /dev/null @@ -1,14 +0,0 @@ -=== modified file 'Mailman/Handlers/Scrubber.py' ---- Mailman/Handlers/Scrubber.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Handlers/Scrubber.py 2018-11-10 18:57:54 +0000 -@@ -87,6 +87,9 @@ - all = guess_all_extensions(ctype, strict=False) - if ext in all: - return ext -+ if ctype.lower == 'application/octet-stream': -+ # For this type, all[0] is '.obj'. '.bin' is better. -+ return '.bin' - return all and all[0] - - - diff --git a/mailman-CVE-2021-42096-2021-42097.patch b/mailman-CVE-2021-42096-2021-42097.patch index ee05f0a..13a2cfd 100644 --- a/mailman-CVE-2021-42096-2021-42097.patch +++ b/mailman-CVE-2021-42096-2021-42097.patch @@ -1,5 +1,5 @@ diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py -index a1e78d9..24e3e11 100644 +index a1e78d9..0940b7e 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -18,11 +18,13 @@ @@ -24,7 +24,7 @@ index a1e78d9..24e3e11 100644 + if user: + # Unmunge a munged email address. + user = UnobscureEmail(urllib.unquote(user)) -+ ++ for context in contexts: key, secret = mlist.AuthContextInfo(context, user) if key: @@ -58,7 +58,7 @@ index a1e78d9..24e3e11 100644 key, secret = mlist.AuthContextInfo(context, user) assert key diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py -index 386b308..980fc09 100644 +index ee2293e..472a02b 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -54,9 +54,6 @@ except NameError: @@ -87,8 +87,8 @@ index 386b308..980fc09 100644 # Set the language for the page. If we're coming from the listinfo cgi, # we might have a 'language' key in the cgi data. That was an explicit # preference to view the page in, so we should honor that here. If that's -@@ -168,6 +156,16 @@ def main(): - user = user[-1] +@@ -169,6 +157,16 @@ def main(): + user = user[-1].strip() # Avoid cross-site scripting attacks + if set(params) - set(safe_params): @@ -104,7 +104,7 @@ index 386b308..980fc09 100644 safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) -@@ -867,8 +865,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): +@@ -868,8 +866,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): mlist.FormatButton('othersubs', _('List my other subscriptions'))) replacements[''] = ( diff --git a/mailman-bouncer_oom_crash.patch b/mailman-bouncer_oom_crash.patch deleted file mode 100644 index 54da0c9..0000000 --- a/mailman-bouncer_oom_crash.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- Mailman/Bouncers/SimpleMatch.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 -@@ -25,6 +25,9 @@ - def _c(pattern): - return re.compile(pattern, re.IGNORECASE) - -+# Pattern to match any valid email address and not much more. -+VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') -+ - # This is a list of tuples of the form - # - # (start cre, end cre, address cre) -@@ -227,4 +230,4 @@ - break - if addrs: - break -- return addrs.keys() -+ return [x for x in addrs.keys() if VALID.match(x)] - -=== modified file 'Mailman/Bouncers/SimpleWarning.py' ---- Mailman/Bouncers/SimpleWarning.py 2018-06-17 23:47:34 +0000 -+++ Mailman/Bouncers/SimpleWarning.py 2020-01-17 00:03:34 +0000 -@@ -17,9 +17,10 @@ - - """Recognizes simple heuristically delimited warnings.""" - -+import email -+ - from Mailman.Bouncers.BouncerAPI import Stop - from Mailman.Bouncers.SimpleMatch import _c --from Mailman.Bouncers.SimpleMatch import process as _process - - - -@@ -67,8 +68,25 @@ - - - def process(msg): -- if _process(msg, patterns): -- # It's a recognized warning so stop now -- return Stop -- else: -- return [] -+ # We used to just import process from SimpleMatch, but with the change in -+ # SimpleMatch to return only vaild addresses, that doesn't work any more. -+ # So, we copy most of the process from SimpleMatch here. -+ addrs = {} -+ for scre, ecre, acre in patterns: -+ state = 0 -+ for line in email.Iterators.body_line_iterator(msg, decode=True): -+ if state == 0: -+ if scre.search(line): -+ state = 1 -+ if state == 1: -+ mo = acre.search(line) -+ if mo: -+ addr = mo.group('addr') -+ if addr: -+ addrs[addr.strip('<>')] = 1 -+ elif ecre.search(line): -+ break -+ if addrs: -+ # It's a recognized warning so stop now -+ return Stop -+ return [] - ---- Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 -+++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 03:25:09 +0000 -@@ -26,7 +26,7 @@ - return re.compile(pattern, re.IGNORECASE) - - # Pattern to match any valid email address and not much more. --VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') -+VALID = _c(r'^[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+$') - - # This is a list of tuples of the form - # - diff --git a/mailman.spec b/mailman.spec index 18412e4..5108421 100644 --- a/mailman.spec +++ b/mailman.spec @@ -2,12 +2,12 @@ %global __os_install_post %(echo '%{__os_install_post}' | sed -e 's!/usr/lib[^[:space:]]*/brp-python-bytecompile[[:space:]].*$!!g') Summary: Mailing list manager with built in Web access Name: mailman -Version: 2.1.29 -Release: 12%{?dist}.2 +Version: 2.1.30 +Release: 1%{?dist} Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz -#Source0: http://prdownloads.sourceforge.net/mailman/mailman-%{version}.tgz +#Source0: http://prdownloads.sourceforge.net/mailman/mailman-%%{version}.tgz Source1: mm_cfg.py Source3: httpd-mailman.conf Source4: mailman.logrotate @@ -29,8 +29,6 @@ Patch13: mailman-2.1.9-unicode.patch Patch21: mailman-2.1.13-env-python.patch Patch22: mailman-2.1.15-check_perms.patch Patch24: mailman-specify_python_version.patch -Patch25: mailman-CVE-2020-12137.patch -Patch26: mailman-bouncer_oom_crash.patch Patch27: mailman-2.1.29-login_content_injection.patch Patch28: mailman-2.1.29-options_content_njection.patch Patch29: mailman-2.1.29-cmd_reply_encoding.patch @@ -124,8 +122,6 @@ additional installation steps, these are described in: %patch21 -p1 %patch22 -p1 %patch24 -p1 -b .python_version -%patch25 -p0 -b .cve_obj_mime -%patch26 -p0 -b .bouncer_match %patch27 -p0 -b .login_injection %patch28 -p0 -b .options_injection %patch29 -p0 -b .cmd_reply_encoding @@ -584,6 +580,10 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Wed Jul 26 2023 Martin Osvald - 3:2.1.30-1 +- New version 2.1.30 +- Fixes DMARC support (#2140631) + * Sun Nov 28 2021 Martin Osvald - 3:2.1.29-12.2 - Fix for CVE-2021-44227 - Resolves: #2026871 diff --git a/sources b/sources index 55e8e06..2b18b57 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mailman-2.1.29.tgz) = ed25179a4580092629890664c5502908b20e326c2ed06ad4e597fb4e8de84076c369ecd7a272be5ed8a1cb4479413d0e004d87804de763ee850e4d04d9a83376 +SHA512 (mailman-2.1.30.tgz) = 3433698cde9368b71a73040643cff5b66c2d8aa7df64a11868046ba62a808ca45a2be6259f5a30bbd7fcbc05f83f7a12314ec780845181db7b00206a1b61619e