Date: Thu, 8 Feb 2018 22:32:23 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r461277 - in head/mail/mailman: . files Message-ID: <201802082232.w18MWNcw004569@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Thu Feb 8 22:32:23 2018 New Revision: 461277 URL: https://svnweb.freebsd.org/changeset/ports/461277 Log: Security update to 2.1.26 (XSS bug), assorted other fixes. - Fix checksum failures in Defaults.py[c]: No longer patch Defaults.py in postinstall, instead configure --with-mailhost=localhost --with-urlhost=localhost, as Fedora and Arch Linux do. - Add a related note to FreeBSD-post-install-notes. - Add a related safeguard to the rcfile, which will refuse to run if the DEFAULT_*_HOSTs are not configured. This can be changed with a new mailman_run_localhost="YES" rc.conf setting, which will then restrict itself to printing the warnings, but still start mailman. - Update htdig patch to upstream SVN r1734. - Bump USES, python:2 -> python:2.7 - Regenerated patches. Changelog: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1743/NEWS#L8 Release/SecuritY announcement: https://www.mail-archive.com/mailman-users@python.org/msg70478.html PR: 225767 (related vuxml entry) Reported by: Vladimir Krstulja MFH: 2018Q1 Security: CVE-2018-5950 Security: 3d0eeef8-0cf9-11e8-99b0-d017c2987f9a Modified: head/mail/mailman/Makefile head/mail/mailman/distinfo head/mail/mailman/files/FreeBSD-post-install-notes head/mail/mailman/files/mailman.in head/mail/mailman/files/patch-Mailman__Defaults.py.in head/mail/mailman/files/patch-Mailman__htmlformat.py head/mail/mailman/files/patch-misc__mailman.in head/mail/mailman/files/pkg-install.in head/mail/mailman/pkg-plist Modified: head/mail/mailman/Makefile ============================================================================== --- head/mail/mailman/Makefile Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/Makefile Thu Feb 8 22:32:23 2018 (r461277) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= mailman -DISTVERSION= 2.1.25 +DISTVERSION= 2.1.26 PORTREVISION= 0 CATEGORIES= mail MASTER_SITES= GNU \ @@ -21,7 +21,7 @@ LICENSE_FILE= ${WRKSRC}/gnu-COPYING-GPL CONFLICTS= ja-mailman-2.1.* -USES= autoreconf cpe fakeroot python:2 shebangfix tar:tgz +USES= autoreconf cpe fakeroot python:2.7 shebangfix tar:tgz USE_RC_SUBR= mailman SHEBANG_FILES= bin/msgfmt.py \ tests/fblast.py \ @@ -36,8 +36,8 @@ CONFIGURE_ARGS+=--with-python=${PYTHON_CMD} \ --with-groupname=${MM_GROUPNAME} \ --with-mail-gid=${MAIL_GID} --with-cgi-gid=${CGI_GID} \ --with-permcheck=no \ - --with-mailhost=// \ - --with-urlhost=// + --with-mailhost=localhost \ + --with-urlhost=localhost # The Mailman port supports a number of variables that may be tweaked at # build time. Getting the values of some of them right is crucial! @@ -128,7 +128,7 @@ PKGNAMESUFFIX+= -with-htdig #X unpack this tarball, and the original distfile #X diff -NEur original-unpack bazaar-unpack | xz --best -c >msapiro-htdig-1702.patch.xz #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory -_HTDIGREV= 1717 +_HTDIGREV= 1734 PATCHFILES+= msapiro-htdig-${_HTDIGREV}.patch.xz RUN_DEPENDS+= htdig:textproc/htdig PLIST_SUB+= SUB_HTDIG="" Modified: head/mail/mailman/distinfo ============================================================================== --- head/mail/mailman/distinfo Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/distinfo Thu Feb 8 22:32:23 2018 (r461277) @@ -1,5 +1,5 @@ -TIMESTAMP = 1509135818 -SHA256 (mailman/mailman-2.1.25.tgz) = 83a6dcbdc5356648db0ad03a0d55d4786071c04d4d6e69d5e95e1815975e0169 -SIZE (mailman/mailman-2.1.25.tgz) = 9254776 -SHA256 (mailman/msapiro-htdig-1717.patch.xz) = 9c272ce70507ece4f46b81a443540a2dbd68661d2f5db904e073782765b0e4a0 -SIZE (mailman/msapiro-htdig-1717.patch.xz) = 198620 +TIMESTAMP = 1518121723 +SHA256 (mailman/mailman-2.1.26.tgz) = 240177e1ef561ede88d7b48283c3835f39bbd0b1ae19100d3520cbe43058339f +SIZE (mailman/mailman-2.1.26.tgz) = 9264592 +SHA256 (mailman/msapiro-htdig-1734.patch.xz) = 1616c8ae2cb393bd60aa463523fe1b7e7f4bae20d29104242388ba1886e0b8c0 +SIZE (mailman/msapiro-htdig-1734.patch.xz) = 50304 Modified: head/mail/mailman/files/FreeBSD-post-install-notes ============================================================================== --- head/mail/mailman/files/FreeBSD-post-install-notes Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/FreeBSD-post-install-notes Thu Feb 8 22:32:23 2018 (r461277) @@ -38,6 +38,17 @@ package) can help with that. many of the steps you may read about in these files. Also, not everything in these files is necessarily relevant to the FreeBSD port. + In most cases, you will want to override the host name settings (which + default to 'localhost') by adding these lines to Mailman/mm_cfg.py: + (the documentation is in Mailman/Defaults.py, but you need to override + the defaults in mm_cfg.py instead, changes to Defaults.py are lost on + upgrades): + + # adjust and add this to Mailman/mm_cfg.py: + DEFAULT_URL_HOST = 'CHANGE_ME.example.org' + DEFAULT_EMAIL_HOST = 'CHANGE_ME.example.org' + add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) + 2) Integrating Mailman with your web server Modified: head/mail/mailman/files/mailman.in ============================================================================== --- head/mail/mailman/files/mailman.in Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/mailman.in Thu Feb 8 22:32:23 2018 (r461277) @@ -15,6 +15,10 @@ # check_perms on start or post-install. # Default is "YES", but this is unsuitable # for slow machines with many lists. +# +# mailman_run_localhost (bool): Set to "YES" to enable running mailman +# with unchanged DEFAULT_URL_HOST and +# DEFAULT_EMAIL_HOST. Default is "NO". . /etc/rc.subr @@ -31,14 +35,26 @@ load_rc_config $name : ${mailman_enable:="NO"} : ${mailman_fix_perms:="YES"} : ${mailman_flags:="-s -q"} +: ${mailman_run_localhost:="NO"} start_precmd=${name}_prestart extra_commands="reload status" mailman_prestart() { + ### check/fix permissions if desired if checkyesno mailman_fix_perms ; then check_startmsgs && echo "Fixing ${name} permissions:" env LC_ALL=C %%MAILMANDIR%%/bin/check_perms -f ${rc_debug:+-v} + fi + + ### check if the default configuration is plausible + vhosts=$(PYTHONPATH="%%MAILMANDIR%%/bin" "%%PYTHON_CMD%%" -c 'import paths;from Mailman import mm_cfg;_x=dict(mm_cfg.VIRTUAL_HOSTS);print repr(_x);') + if [ "${vhosts}" = "{'localhost': 'localhost'}" ] ; then + warn 'Be sure to change the default hosts in Mailman/mm_cfg.py!' + warn 'Review %%DOCSDIR%%/FreeBSD-post-install-notes for instructions.' + if ! checkyesno mailman_run_localhost ; then + err 78 "Start of mailman refused due to insufficient configuration." + fi fi } Modified: head/mail/mailman/files/patch-Mailman__Defaults.py.in ============================================================================== --- head/mail/mailman/files/patch-Mailman__Defaults.py.in Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/patch-Mailman__Defaults.py.in Thu Feb 8 22:32:23 2018 (r461277) @@ -1,15 +1,15 @@ ---- Mailman/Defaults.py.in.orig 2008-04-24 09:47:40.000000000 -0300 -+++ Mailman/Defaults.py.in 2008-04-24 09:50:37.000000000 -0300 -@@ -107,7 +107,7 @@ +--- Mailman/Defaults.py.in.orig 2018-02-04 17:04:39 UTC ++++ Mailman/Defaults.py.in +@@ -148,7 +148,7 @@ GLOBAL_BAN_LIST = [] # Command that is used to convert text/html parts into plain text. This # should output results to standard output. %(filename)s will contain the # name of the temporary file that the program should operate on. -HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' +HTML_TO_PLAIN_TEXT_COMMAND = '%%LOCALBASE%%/bin/lynx -dump %(filename)s' - - -@@ -395,8 +395,8 @@ + # A Python regular expression character class which defines the characters + # allowed in list names. Lists cannot be created with names containing any +@@ -538,8 +538,8 @@ VIRTUAL_MAILMAN_LOCAL_DOMAIN = None # and virtual-mailman.db files, respectively, from the associated plain text # files. The file being updated will be appended to this string (with a # separating space), so it must be appropriate for os.system(). @@ -20,16 +20,16 @@ # Ceiling on the number of recipients that can be specified in a single SMTP # transaction. Set to 0 to submit the entire recipient list in one -@@ -430,7 +430,7 @@ +@@ -573,7 +573,7 @@ SMTPPORT = 0 # Command for direct command pipe delivery to sendmail compatible program, # when DELIVERY_MODULE is 'Sendmail'. -SENDMAIL_CMD = '/usr/lib/sendmail' +SENDMAIL_CMD = '/usr/sbin/sendmail' - # Set these variables if you need to authenticate to your NNTP server for - # Usenet posting or reading. If no authentication is necessary, specify None -@@ -673,6 +673,12 @@ + # SMTP authentication for DELIVERY_MODULE = 'SMTPDirect'. To enable SASL + # authentication for SMTPDirect, set SMTP_AUTH = Yes and provide appropriate +@@ -851,6 +851,12 @@ VERP_CONFIRMATIONS = No # debugging). MAX_AUTORESPONSES_PER_DAY = 10 Modified: head/mail/mailman/files/patch-Mailman__htmlformat.py ============================================================================== --- head/mail/mailman/files/patch-Mailman__htmlformat.py Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/patch-Mailman__htmlformat.py Thu Feb 8 22:32:23 2018 (r461277) @@ -1,6 +1,6 @@ ---- Mailman/htmlformat.py.orig Sun Apr 21 17:27:02 2002 -+++ Mailman/htmlformat.py Fri Sep 27 16:17:48 2002 -@@ -600,12 +600,14 @@ +--- Mailman/htmlformat.py.orig 2018-02-04 17:04:39 UTC ++++ Mailman/htmlformat.py +@@ -646,12 +646,14 @@ class DefinitionList(Container): from mm_cfg import MAILMAN_URL PYTHON_URL = 'http://www.python.org/' GNU_URL = 'http://www.gnu.org/' @@ -15,7 +15,7 @@ def MailmanLogo(): -@@ -617,17 +619,17 @@ +@@ -663,17 +665,17 @@ def MailmanLogo(): '<br>version %s' % (logo(DELIVERED_BY), mm_cfg.VERSION) pylink = '<img src="%s" alt="Python Powered" border=0>' % \ logo(PYTHON_POWERED) Modified: head/mail/mailman/files/patch-misc__mailman.in ============================================================================== --- head/mail/mailman/files/patch-misc__mailman.in Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/patch-misc__mailman.in Thu Feb 8 22:32:23 2018 (r461277) @@ -1,6 +1,6 @@ ---- misc/mailman.in.orig Thu Mar 7 08:09:51 2002 -+++ misc/mailman.in Fri Sep 27 15:56:40 2002 -@@ -39,15 +39,19 @@ +--- misc/mailman.in.orig 2018-02-04 17:04:39 UTC ++++ misc/mailman.in +@@ -52,16 +52,20 @@ MAILMANCTL=$MAILMANHOME/bin/mailmanctl case "$1" in 'start') #rm -f $MAILMANHOME/locks/* @@ -15,10 +15,11 @@ 'restart') $PYTHON $MAILMANCTL -q restart -+ ;; + ;; +*) + echo "Usage: `basename $0` {start|stop|restart}" >&2 + exit 64 - ;; ++ ;; - esac + 'reopen') + $PYTHON $MAILMANCTL -q reopen Modified: head/mail/mailman/files/pkg-install.in ============================================================================== --- head/mail/mailman/files/pkg-install.in Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/files/pkg-install.in Thu Feb 8 22:32:23 2018 (r461277) @@ -106,9 +106,6 @@ POST-INSTALL) echo "---> rcfile sets mailman_fix_perms to no, skipping check_perms" fi - echo "---> Fixing up default host names (MAILHOST, URLHOST)" - sed -Ee "s}^(DEFAULT_(EMAIL|URL)_HOST) = '//'}\1 = '`hostname -f`'}" -i '' "%%MAILMANDIR%%/Mailman/Defaults.py" - echo "---> Running assorted other checks" if egrep -q "^[ \t]*MTA.*=.*Postfix" "%%MAILMANDIR%%/Mailman/mm_cfg.py" ; then # run Postfix-specific checks Modified: head/mail/mailman/pkg-plist ============================================================================== --- head/mail/mailman/pkg-plist Thu Feb 8 22:23:59 2018 (r461276) +++ head/mail/mailman/pkg-plist Thu Feb 8 22:32:23 2018 (r461277) @@ -338,6 +338,7 @@ %%MMDIR%%/bin/list_lists %%MMDIR%%/bin/list_members %%MMDIR%%/bin/list_owners +%%MMDIR%%/bin/mailman-config %%MMDIR%%/bin/mailmanctl %%MMDIR%%/bin/mmsitepass %%MMDIR%%/bin/msgfmt.py @@ -2161,6 +2162,7 @@ %%MMDIR%%/tests/bounces/exim_01.txt %%MMDIR%%/tests/bounces/groupwise_01.txt %%MMDIR%%/tests/bounces/groupwise_02.txt +%%MMDIR%%/tests/bounces/groupwise_03.txt %%MMDIR%%/tests/bounces/hotpop_01.txt %%MMDIR%%/tests/bounces/llnl_01.txt %%MMDIR%%/tests/bounces/microsoft_01.txt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802082232.w18MWNcw004569>