Security fix for CVE-2011-0707.

Mailman "Full Name" Script Insertion Vulnerabilities. Patch from upstream ML.
2011-03-03 09:50:11 +00:00 · 2011-03-03 09:50:11 +00:00 · 7b476c259c
commit 7b476c259c
parent ea0ae38022
2 changed files with 39 additions and 2 deletions
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.65 2011/01/05 16:05:54 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.66 2011/03/03 09:50:11 jasper Exp $

 COMMENT=	mailing list manager with web interface

 DISTNAME=	mailman-2.1.14
-REVISION=	8
+REVISION=	9
 CATEGORIES=	mail www

 HOMEPAGE=	http://www.gnu.org/software/mailman/
--- a/mail/mailman/patches/patch-Mailman_Cgi_confirm_py
+++ b/mail/mailman/patches/patch-Mailman_Cgi_confirm_py
@ -0,0 +1,37 @@
+$OpenBSD: patch-Mailman_Cgi_confirm_py,v 1.1 2011/03/03 09:50:11 jasper Exp $
+
+Security fix for CVE-2011-0707.
+Mailman "Full Name" Script Insertion Vulnerabilities.
+
+Patch from upstream announcement:
+http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html
+
+--- Mailman/Cgi/confirm.py.orig	Mon Sep 20 20:18:27 2010
+++ Mailman/Cgi/confirm.py	Thu Mar  3 10:47:51 2011
+@@ -471,7 +471,7 @@ def unsubscription_prompt(mlist, doc, cookie, addr):
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
+        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     table.AddRow([_("""Your confirmation is required in order to complete the
+     unsubscription request from the mailing list <em>%(listname)s</em>.  You
+     are currently subscribed with
+@@ -573,7 +573,7 @@ def addrchange_prompt(mlist, doc, cookie, oldaddr, new
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
+        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     if globally:
+         globallys = _('globally')
+     else:
+@@ -814,7 +814,7 @@ def reenable_prompt(mlist, doc, cookie, list, member):
+     if username is None:
+         username = _('<em>not available</em>')
+     else:
+-        username = Utils.uncanonstr(username, lang)
+        username = Utils.websafe(Utils.uncanonstr(username, lang))
+ 
+     table.AddRow([_("""Your membership in the %(realname)s mailing list is
+     currently disabled due to excessive bounces.  Your confirmation is