pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/mail/mailman Apply patch from Mailman maintainers to f...
details: https://anonhg.NetBSD.org/pkgsrc/rev/0def4d330591
branches: trunk
changeset: 489015:0def4d330591
user: tv <tv%pkgsrc.org@localhost>
date: Mon Feb 14 16:56:38 2005 +0000
description:
Apply patch from Mailman maintainers to fix vulnerability described in:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202
diffstat:
mail/mailman/Makefile | 4 ++--
mail/mailman/distinfo | 3 ++-
mail/mailman/patches/patch-ai | 30 ++++++++++++++++++++++++++++++
3 files changed, 34 insertions(+), 3 deletions(-)
diffs (61 lines):
diff -r 143b993893fc -r 0def4d330591 mail/mailman/Makefile
--- a/mail/mailman/Makefile Mon Feb 14 16:31:41 2005 +0000
+++ b/mail/mailman/Makefile Mon Feb 14 16:56:38 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.18 2005/01/23 20:41:48 recht Exp $
+# $NetBSD: Makefile,v 1.19 2005/02/14 16:56:38 tv Exp $
DISTNAME= mailman-2.1.4
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= mail www
MASTER_SITES= http://www.list.org/ \
${MASTER_SITE_GNU:=mailman/}
diff -r 143b993893fc -r 0def4d330591 mail/mailman/distinfo
--- a/mail/mailman/distinfo Mon Feb 14 16:31:41 2005 +0000
+++ b/mail/mailman/distinfo Mon Feb 14 16:56:38 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2004/09/06 04:12:46 lukem Exp $
+$NetBSD: distinfo,v 1.5 2005/02/14 16:56:38 tv Exp $
SHA1 (mailman-2.1.4.tgz) = b77d22283d5780b6d8449f19f86c210e4e58a032
Size (mailman-2.1.4.tgz) = 5779983 bytes
@@ -10,3 +10,4 @@
SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e
SHA1 (patch-ag) = f94f190e69ce892841b88574ec8e9f100b182ed9
SHA1 (patch-ah) = 42296c52e30b1fcc1d42ef0f1b89c83414ca85df
+SHA1 (patch-ai) = 39288f7047063f77d0a94128f74ae4e9fa9e72e9
diff -r 143b993893fc -r 0def4d330591 mail/mailman/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/patches/patch-ai Mon Feb 14 16:56:38 2005 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-ai,v 1.1 2005/02/14 16:56:38 tv Exp $
+
+Index: private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- Mailman/Cgi/private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
++++ Mailman/Cgi/private.py 10 Feb 2005 03:34:21 -0000
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+
++SLASH = '/'
++
+
+
+ def true_path(path):
+ "Ensure that the path is safe by removing .."
+- path = path.replace('../', '')
+- path = path.replace('./', '')
+- return path[1:]
++ parts = path.split(SLASH)
++ safe = [x for x in parts if x not in ('.', '..')]
++ if parts <> safe:
++ syslog('mischief', 'Directory traversal attack thwarted')
++ return SLASH.join(safe)[1:]
+
+
+
Home |
Main Index |
Thread Index |
Old Index