Date: Wed, 17 Jun 2015 17:21:18 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r389950 - in branches/2015Q2/japanese/mailman: . files Message-ID: <201506171721.t5HHLIq0014056@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Jun 17 17:21:18 2015 New Revision: 389950 URL: https://svnweb.freebsd.org/changeset/ports/389950 Log: MFH: r389895 (requested by tato@) Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: ports-secteam@ Added: branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 - copied unchanged from r389895, head/japanese/mailman/files/patch-CVE-2015-2775 Modified: branches/2015Q2/japanese/mailman/Makefile Directory Properties: branches/2015Q2/ (props changed) Modified: branches/2015Q2/japanese/mailman/Makefile ============================================================================== --- branches/2015Q2/japanese/mailman/Makefile Wed Jun 17 17:20:36 2015 (r389949) +++ branches/2015Q2/japanese/mailman/Makefile Wed Jun 17 17:21:18 2015 (r389950) @@ -3,7 +3,7 @@ PORTNAME= mailman PORTVERSION= 2.1.14.j7 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= japanese mail MASTER_SITES= http://www.python.jp/doc/contrib/mailman/_static/ \ Copied: branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 (from r389895, head/japanese/mailman/files/patch-CVE-2015-2775) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 Wed Jun 17 17:21:18 2015 (r389950, copy of r389895, head/japanese/mailman/files/patch-CVE-2015-2775) @@ -0,0 +1,15 @@ +--- Mailman/Utils.py.orig 2011-12-11 16:56:23.000000000 +0900 ++++ Mailman/Utils.py 2015-06-01 13:25:26.000000000 +0900 +@@ -93,6 +93,12 @@ + # + # The former two are for 2.1alpha3 and beyond, while the latter two are + # for all earlier versions. ++ # ++ # But first ensure the list name doesn't contain a path traversal ++ # attack. ++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: ++ syslog('mischief', 'Hostile listname: %s', listname) ++ return False + basepath = Site.get_listpath(listname) + for ext in ('.pck', '.pck.last', '.db', '.db.last'): + dbfile = os.path.join(basepath, 'config' + ext)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506171721.t5HHLIq0014056>