Your message dated Fri, 28 May 2021 22:57:10 +0200
with message-id <[email protected]>
and subject line Re: Bug#989199: unblock: hyperkitty/1.3.4-4
has caused the Debian Bug report #989199,
regarding unblock: hyperkitty/1.3.4-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989199: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989199
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package hyperkitty
[ Reason ]
hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
private archives stay private during import). The patch is really simple and
straight-forward.
I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
days period until it auto-migrates (due to autopkgtests).
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock hyperkitty/1.3.4-4
Here's the full changelog for hyperkitty 1.3.4-4:
> hyperkitty (1.3.4-4) unstable; urgency=high
>
> * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> archives stay private during import (CVE-2021-33038). (Closes: #989183)
>
> -- Jonas Meurer <[email protected]> Fri, 28 May 2021 11:00:26 +0200
Kind regards
jonas
diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
--- hyperkitty-1.3.4/debian/changelog 2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/changelog 2021-05-28 11:00:26.000000000 +0200
@@ -1,3 +1,10 @@
+hyperkitty (1.3.4-4) unstable; urgency=high
+
+ * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
+ archives stay private during import (CVE-2021-33038). (Closes: #989183)
+
+ -- Jonas Meurer <[email protected]> Fri, 28 May 2021 11:00:26 +0200
+
hyperkitty (1.3.4-3) unstable; urgency=high
* d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
diff -Nru
hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
---
hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
1970-01-01 01:00:00.000000000 +0100
+++
hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
2021-05-28 11:00:26.000000000 +0200
@@ -0,0 +1,47 @@
+From: Kunal Mehta <[email protected]>
+Date: Thu, 6 May 2021 14:15:03 -0700
+Subject: Ensure private archives stay private during import (CVE-2021-33038)
+
+hyperkitty keeps state of whether a mailing list's archives should be
+public or private in the hyperkitty_mailinglist table. However during
+the import process, it would create a row using the default settings
+(archive_policy="public") instead of getting the correct values from
+Mailman. It would only sync with Mailman at the end of the import
+process.
+
+This patch explicitly creates the hyperkitty_mailinglist row/object at
+the beginning of the import process, so the visiblity will be correctly
+obtained from Mailman, before any messages can be accidentally leaked.
+
+Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
+Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
+Bug-Debian: http://bugs.debian.org/989183
+---
+ hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hyperkitty/management/commands/hyperkitty_import.py
b/hyperkitty/management/commands/hyperkitty_import.py
+index 7764fa8..f9532e4 100644
+--- a/hyperkitty/management/commands/hyperkitty_import.py
++++ b/hyperkitty/management/commands/hyperkitty_import.py
+@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage,
add_to_list
+ from hyperkitty.lib.mailman import sync_with_mailman
+ from hyperkitty.lib.utils import get_message_id
+ from hyperkitty.management.utils import setup_logging
+-from hyperkitty.models import Email, Thread
++from hyperkitty.models import Email, MailingList, Thread
+
+
+ # Allow all wierd line endings.
+@@ -319,6 +319,11 @@ class Command(BaseCommand):
+ # if (settings.DATABASES["default"]["ENGINE"]
+ # != "django.db.backends.sqlite3":
+ # transaction.set_autocommit(False)
++ # Sync list settings with Mailman before importing messages:
++ if not options["no_sync_mailman"]:
++ mlist = MailingList.objects.get_or_create(name=list_address)[0]
++ mlist.update_from_mailman()
++ mlist.save()
+ settings.HYPERKITTY_BATCH_MODE = True
+ # Only import emails newer than the latest email in the DB
+ latest_email_date = Email.objects.filter(
diff -Nru hyperkitty-1.3.4/debian/patches/series
hyperkitty-1.3.4/debian/patches/series
--- hyperkitty-1.3.4/debian/patches/series 2021-04-29 11:55:45.000000000
+0200
+++ hyperkitty-1.3.4/debian/patches/series 2021-05-28 11:00:26.000000000
+0200
@@ -2,3 +2,4 @@
0002_Use_python3_by_default.patch
0003-run-sassc-at-build-time.patch
0004_remove_link_to_google_fonts.patch
+0005_ensure_private_archives_during_import.patch
--- End Message ---
--- Begin Message ---
On 2021-05-28 11:23:44 +0200, Jonas Meurer wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package hyperkitty
>
> [ Reason ]
> hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
> private archives stay private during import). The patch is really simple and
> straight-forward.
>
> I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
> days period until it auto-migrates (due to autopkgtests).
Added a hint to set the required age to 5 days.
Cheers
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock hyperkitty/1.3.4-4
>
> Here's the full changelog for hyperkitty 1.3.4-4:
>
> > hyperkitty (1.3.4-4) unstable; urgency=high
> >
> > * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> > archives stay private during import (CVE-2021-33038). (Closes: #989183)
> >
> > -- Jonas Meurer <[email protected]> Fri, 28 May 2021 11:00:26 +0200
>
> Kind regards
> jonas
> diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
> --- hyperkitty-1.3.4/debian/changelog 2021-04-29 11:55:45.000000000 +0200
> +++ hyperkitty-1.3.4/debian/changelog 2021-05-28 11:00:26.000000000 +0200
> @@ -1,3 +1,10 @@
> +hyperkitty (1.3.4-4) unstable; urgency=high
> +
> + * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> + archives stay private during import (CVE-2021-33038). (Closes: #989183)
> +
> + -- Jonas Meurer <[email protected]> Fri, 28 May 2021 11:00:26 +0200
> +
> hyperkitty (1.3.4-3) unstable; urgency=high
>
> * d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
> diff -Nru
> hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
>
> hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
> ---
> hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++
> hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
> 2021-05-28 11:00:26.000000000 +0200
> @@ -0,0 +1,47 @@
> +From: Kunal Mehta <[email protected]>
> +Date: Thu, 6 May 2021 14:15:03 -0700
> +Subject: Ensure private archives stay private during import (CVE-2021-33038)
> +
> +hyperkitty keeps state of whether a mailing list's archives should be
> +public or private in the hyperkitty_mailinglist table. However during
> +the import process, it would create a row using the default settings
> +(archive_policy="public") instead of getting the correct values from
> +Mailman. It would only sync with Mailman at the end of the import
> +process.
> +
> +This patch explicitly creates the hyperkitty_mailinglist row/object at
> +the beginning of the import process, so the visiblity will be correctly
> +obtained from Mailman, before any messages can be accidentally leaked.
> +
> +Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
> +Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
> +Bug-Debian: http://bugs.debian.org/989183
> +---
> + hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/hyperkitty/management/commands/hyperkitty_import.py
> b/hyperkitty/management/commands/hyperkitty_import.py
> +index 7764fa8..f9532e4 100644
> +--- a/hyperkitty/management/commands/hyperkitty_import.py
> ++++ b/hyperkitty/management/commands/hyperkitty_import.py
> +@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage,
> add_to_list
> + from hyperkitty.lib.mailman import sync_with_mailman
> + from hyperkitty.lib.utils import get_message_id
> + from hyperkitty.management.utils import setup_logging
> +-from hyperkitty.models import Email, Thread
> ++from hyperkitty.models import Email, MailingList, Thread
> +
> +
> + # Allow all wierd line endings.
> +@@ -319,6 +319,11 @@ class Command(BaseCommand):
> + # if (settings.DATABASES["default"]["ENGINE"]
> + # != "django.db.backends.sqlite3":
> + # transaction.set_autocommit(False)
> ++ # Sync list settings with Mailman before importing messages:
> ++ if not options["no_sync_mailman"]:
> ++ mlist = MailingList.objects.get_or_create(name=list_address)[0]
> ++ mlist.update_from_mailman()
> ++ mlist.save()
> + settings.HYPERKITTY_BATCH_MODE = True
> + # Only import emails newer than the latest email in the DB
> + latest_email_date = Email.objects.filter(
> diff -Nru hyperkitty-1.3.4/debian/patches/series
> hyperkitty-1.3.4/debian/patches/series
> --- hyperkitty-1.3.4/debian/patches/series 2021-04-29 11:55:45.000000000
> +0200
> +++ hyperkitty-1.3.4/debian/patches/series 2021-05-28 11:00:26.000000000
> +0200
> @@ -2,3 +2,4 @@
> 0002_Use_python3_by_default.patch
> 0003-run-sassc-at-build-time.patch
> 0004_remove_link_to_google_fonts.patch
> +0005_ensure_private_archives_during_import.patch
--
Sebastian Ramacher
signature.asc
Description: PGP signature
--- End Message ---
