Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
mailman.14866
mailman-2.1.15-CVE-2018-0618.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mailman-2.1.15-CVE-2018-0618.patch of Package mailman.14866
--- a/Mailman/Gui/General.py +++ b/Mailman/Gui/General.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001-2013 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -447,13 +447,13 @@ class General(GUIBase): as "the mailbox of the agent responsible for the actual transmission of the message." Mailman replaces this header by default with the list's bounce address. - + <p>While it is debatable if Mailman is such an agent, setting this header helps directing bounces from some broken MTAs to the right destination. On the other hand, some mail readers show unexpected behaviour if this header is set (like missing addresses in forwarded mails and copies sent to the - bounce address on reply-to-all), so it can be disabled + bounce address on reply-to-all), so it can be disabled here.""")) ) @@ -511,6 +511,14 @@ mlist.info. or not isinstance(val, IntType)): doc.addError(_("""<b>admin_member_chunksize</b> attribute not changed! It must be an integer > 0.""")) + elif property == 'host_name': + try: + Utils.ValidateEmail('user@' + val) + except Errors.EmailAddressError: + doc.addError(_("""<b>host_name</b> attribute not changed! + It must be a valid domain name.""")) + else: + GUIBase._setValue(self, mlist, property, val, doc) else: GUIBase._setValue(self, mlist, property, val, doc) --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2011 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -935,6 +935,7 @@ _badwords = [ '<meta', '<object', '<script', + '@keyframes', r'\bj(?:ava)?script\b', r'\bvbs(?:cript)?\b', r'\bdomactivate\b', @@ -951,12 +952,14 @@ _badwords = [ r'\bon(?:de)?activate\b', r'\bon(?:after|before)print\b', r'\bon(?:after|before)update\b', + r'\b(?:on)?animation(?:end|iteration|start)\b', r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b', r'\bonbeforeunload\b', r'\bonbegin\b', r'\bonblur\b', r'\bonbounce\b', r'\bonbroadcast\b', + r'\boncanplay(?:through)?\b', r'\bon(?:cell)?change\b', r'\boncheckboxstatechange\b', r'\bon(?:dbl)?click\b', @@ -972,7 +975,9 @@ _badwords = [ r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b', r'\bondragstart\b', r'\bondrop\b', - r'\bonend\b', + r'\bondurationchange\b', + r'\bonemptied\b', + r'\bonend(?:ed)?\b', r'\bonerror(?:update)?\b', r'\bonfilterchange\b', r'\bonfinish\b', @@ -982,21 +987,28 @@ _badwords = [ r'\bonkey(?:up|down|press)\b', r'\bonlayoutcomplete\b', r'\bon(?:un)?load\b', + r'\bonloaded(?:meta)?data\b', + r'\bonloadstart\b', r'\bonlosecapture\b', r'\bonmedia(?:complete|error)\b', + r'\bonmessage\b', r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b', r'\bonmove(?:end|start)?\b', r'\bon(?:off|on)line\b', + r'\bonopen\b', r'\bonoutofsync\b', r'\bonoverflow(?:changed)?\b', r'\bonpage(?:hide|show)\b', r'\bonpaint\b', r'\bonpaste\b', r'\bonpause\b', + r'\bonplay(?:ing)?\b', + r'\bonpopstate\b', r'\bonpopup(?:hidden|hiding|showing|shown)\b', r'\bonprogress\b', r'\bonpropertychange\b', r'\bonradiostatechange\b', + r'\bonratechange\b', r'\bonreadystatechange\b', r'\bonrepeat\b', r'\bonreset\b', @@ -1006,19 +1018,30 @@ _badwords = [ r'\bonrow(?:delete|enter|exit|inserted)\b', r'\bonrows(?:delete|enter|inserted)\b', r'\bonscroll\b', - r'\bonseek\b', + r'\bonsearch\b', + r'\bonseek(?:ed|ing)?\b', r'\bonselect(?:start)?\b', r'\bonselectionchange\b', + r'\bonshow\b', r'\bonstart\b', + r'\bonstalled\b', r'\bonstop\b', + r'\bonstorage\b', r'\bonsubmit\b', + r'\bonsuspend\b', r'\bonsync(?:from|to)preference\b', r'\bonsyncrestored\b', r'\bontext\b', - r'\bontimeerror\b', + r'\bontime(?:error|update)\b', + r'\bontoggle\b', + r'\bontouch(?:cancel|end|move|start)\b', r'\bontrackchange\b', + r'\b(?:on)?transitionend\b', r'\bonunderflow\b', r'\bonurlflip\b', + r'\bonvolumechange\b', + r'\bonwaiting\b', + r'\bonwheel\b', r'\bseeksegmenttime\b', r'\bsvgabort\b', r'\bsvgerror\b', --- a/NEWS +++ b/NEWS @@ -266,6 +266,9 @@ Here is a history of user visible change values for these settings result in no change from the prior release. Bug #774588. + - A few more error messages have had their values HTML escaped. + JVN#00846677/JPCERT#97432283/CVE-2018-0618 + i18n - Added some missing German templates from Egon Frerich. @@ -666,6 +669,12 @@ Here is a history of user visible change 2.1.12 (23-Feb-2009) + Security + + - Existing protections against malicious listowners injecting evil + scripts into listinfo pages have had a few more checks added. + JVN#00846677/JPCERT#97432283/CVE-2018-0618 + Bug fixes and other patches - Fix compatibility with Python 2.6. --- a/Mailman/Gui/GUIBase.py +++ b/Mailman/Gui/GUIBase.py @@ -1,4 +1,4 @@ -# Copyright (C) 2002-2008 by the Free Software Foundation, Inc. +# Copyright (C) 2002-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -171,7 +171,8 @@ class GUIBase: except ValueError: doc.addError(_('Invalid value for variable: %(property)s')) # This is the parent of MMBadEmailError and MMHostileAddress - except Errors.EmailAddressError, error: + except Errors.EmailAddressError as error: + error = Utils.websafe(str(error)) doc.addError( _('Bad email address for option %(property)s: %(error)s')) else:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor