Your message dated Wed, 08 Apr 2015 16:58:17 +0200
with message-id <[email protected]>
and subject line Re: Bug#782146: unblock: mailman/1:2.1.18-2
has caused the Debian Bug report #782146,
regarding unblock: mailman/1:2.1.18-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
782146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782146
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package mailman.
The diff is a security fix for CVE-2015-2775.
unblock mailman/1:2.1.18-2
Thanks,
Thijs
diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog
--- mailman-2.1.18/debian/changelog 2014-07-10 18:01:59.000000000 +0000
+++ mailman-2.1.18/debian/changelog 2015-04-06 15:37:32.000000000 +0000
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+ * Fix security issue: path traversal through local_part.
+ Affects installations which use an Exim or Postfix transport
+ instead of fixed aliases; attacker needs to be able to place
+ files on the local filesystem.
+ (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <[email protected]> Mon, 06 Apr 2015 15:36:15 +0000
+
mailman (1:2.1.18-1) unstable; urgency=medium
* New upstream release.
diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config
--- mailman-2.1.18/debian/config 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/config 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $
# $Id: config 693 2011-10-08 15:30:38Z thijs $
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control
--- mailman-2.1.18/debian/control 2014-07-10 18:19:25.000000000 +0000
+++ mailman-2.1.18/debian/control 2015-04-06 15:30:32.000000000 +0000
@@ -4,7 +4,6 @@
Maintainer: Mailman for Debian <[email protected]>
Uploaders: Lionel Elie Mamane <[email protected]>,
Thijs Kinkhorst <[email protected]>,
- Thorsten Glaser <[email protected]>,
Hector Garcia <[email protected]>
Build-Depends: debhelper (>= 7), autoconf, python-dev (>= 2.6.6-3~), gettext, python-dnspython
Standards-Version: 3.9.5
diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch
--- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 1970-01-01 00:00:00.000000000 +0000
+++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 2015-04-06 15:44:18.000000000 +0000
@@ -0,0 +1,34 @@
+From: Mark Sapiro <[email protected]>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+
+ # A Python regular expression character class which defines the characters
+ # allowed in list names. Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class. Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+
+
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++ #
++ # But first ensure the list name doesn't contain a path traversal
++ # attack.
++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++ syslog('mischief', 'Hostile listname: %s', listname)
++ return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series
--- mailman-2.1.18/debian/patches/series 2014-07-10 17:59:41.000000000 +0000
+++ mailman-2.1.18/debian/patches/series 2015-04-06 15:36:11.000000000 +0000
@@ -10,3 +10,4 @@
79_archiver_slash.patch
90_gettext_errors.patch
91_utf8.patch
+92_CVE-2015-2775.patch
diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst
--- mailman-2.1.18/debian/postinst 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postinst 2015-04-06 15:30:32.000000000 +0000
@@ -7,7 +7,7 @@
# Other modifications 2004-2007 by other maintainers of the Debian package:
# Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ...
#
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $
# $Id: postinst 693 2011-10-08 15:30:38Z thijs $
#
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/postrm mailman-2.1.18/debian/postrm
--- mailman-2.1.18/debian/postrm 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postrm 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postrm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postrm $
# $Id: postrm 600 2009-01-08 20:54:48Z thijs $
#DEBHELPER#
diff -Nru mailman-2.1.18/debian/preinst.in mailman-2.1.18/debian/preinst.in
--- mailman-2.1.18/debian/preinst.in 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/preinst.in 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#!/bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/preinst.in $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/preinst.in $
# $Id: preinst.in 704 2012-03-18 13:14:40Z thijs $
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/prerm mailman-2.1.18/debian/prerm
--- mailman-2.1.18/debian/prerm 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/prerm 2015-04-06 15:30:32.000000000 +0000
@@ -3,7 +3,7 @@
# prerm script for Debian python packages.
# Written 1998 by Gregor Hoffleit <[email protected]>.
#
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/prerm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/prerm $
# $Id: prerm 421 2006-10-08 12:50:00Z giskard-guest $
if [ "$1" = "failed-upgrade" ] ; then
diff -Nru mailman-2.1.18/debian/templates mailman-2.1.18/debian/templates
--- mailman-2.1.18/debian/templates 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/templates 2015-04-06 15:30:33.000000000 +0000
@@ -1,4 +1,4 @@
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/templates $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/templates $
# $Id: templates 693 2011-10-08 15:30:38Z thijs $
Template: mailman/site_languages
Type: multiselect
--- End Message ---
--- Begin Message ---
On 2015-04-08 15:02, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package mailman.
>
> The diff is a security fix for CVE-2015-2775.
>
> unblock mailman/1:2.1.18-2
>
>
> Thanks,
> Thijs
>
Unblocked, thanks.
~Niels
--- End Message ---
