From ff575e2cfe7c02e6babd65ad4fc36ec9b23b2a6b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:47:44 +0000 Subject: import mailman-2.1.29-11.module+el8.4.0+8277+5e2c6e6e --- diff --git a/SOURCES/mailman-2.1.29-login_content_injection.patch b/SOURCES/mailman-2.1.29-login_content_injection.patch new file mode 100644 index 0000000..2710b46 --- /dev/null +++ b/SOURCES/mailman-2.1.29-login_content_injection.patch @@ -0,0 +1,13 @@ +=== modified file 'Mailman/Cgi/options.py' +--- Mailman/Cgi/options.py 2019-03-06 17:48:32 +0000 ++++ Mailman/Cgi/options.py 2020-04-20 03:10:16 +0000 +@@ -173,7 +173,7 @@ + try: + Utils.ValidateEmail(user) + except Errors.EmailAddressError: +- doc.addError(_('Illegal Email Address: %(safeuser)s')) ++ doc.addError(_('Illegal Email Address')) + loginpage(mlist, doc, None, language) + print doc.Format() + return + diff --git a/SOURCES/mailman-2.1.29-options_content_njection.patch b/SOURCES/mailman-2.1.29-options_content_njection.patch new file mode 100644 index 0000000..fe81924 --- /dev/null +++ b/SOURCES/mailman-2.1.29-options_content_njection.patch @@ -0,0 +1,22 @@ +=== modified file 'Mailman/Cgi/private.py' +--- Mailman/Cgi/private.py 2019-03-06 17:48:32 +0000 ++++ Mailman/Cgi/private.py 2020-05-07 13:53:40 +0000 +@@ -162,13 +162,9 @@ + if mlist.isMember(username): + mlist.MailUserPassword(username) + elif username: +- # Not a member +- if mlist.private_roster == 0: +- # Public rosters +- safeuser = Utils.websafe(username) +- message = Bold(FontSize('+1', +- _('No such member: %(safeuser)s.'))).Format() +- else: ++ # Not a member. Don't report address in any case. It leads to ++ # Content injection. Just log if roster is not public. ++ if mlist.private_roster != 0: + syslog('mischief', + 'Reminder attempt of non-member w/ private rosters: %s', + username) + + diff --git a/SPECS/mailman.spec b/SPECS/mailman.spec index 301a343..aa77178 100644 --- a/SPECS/mailman.spec +++ b/SPECS/mailman.spec @@ -3,7 +3,7 @@ Summary: Mailing list manager with built in Web access Name: mailman Version: 2.1.29 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz @@ -31,7 +31,8 @@ Patch22: mailman-2.1.15-check_perms.patch Patch24: mailman-specify_python_version.patch Patch25: mailman-CVE-2020-12137.patch Patch26: mailman-bouncer_oom_crash.patch - +Patch27: mailman-2.1.29-login_content_injection.patch +Patch28: mailman-2.1.29-options_content_njection.patch License: GPLv2+ URL: http://www.list.org/ @@ -122,6 +123,8 @@ additional installation steps, these are described in: %patch24 -p1 -b .python_version %patch25 -p0 -b .cve_obj_mime %patch26 -p0 -b .bouncer_match +%patch27 -p0 -b .login_injection +%patch28 -p0 -b .options_injection #cp $RPM_SOURCE_DIR/mailman.INSTALL.REDHAT.in INSTALL.REDHAT.in cp %{SOURCE5} INSTALL.REDHAT.in @@ -575,6 +578,9 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Wed Sep 30 2020 Pavel Zhukov - 3:2.1.29-11 +- Fixes for CVE-2020-12108 and CVE-2020-15011 + * Mon May 25 2020 Pavel Zhukov - 3:2.1.29-10 - Fix match patter to reduce false allocation