packages/mailman
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!17 [sync] PR-15: fix CVE-2020-15011

Browse Source 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-10-25 10:42:09 +00:00 committed by Gitee
commit 1a9ffd3023
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
CVE-2020-15011.patch Normal file
View File

@ -0,0 +1,26 @@
Description: Arbitrary content injection via Cgi/private.py archive login page
Origin: https://bugs.launchpad.net/mailman/+bug/1877379
Author: Mark Sapiro
=== modified file 'Mailman/Cgi/private.py'
Index: mailman-2.1.26/Mailman/Cgi/private.py
===================================================================
--- mailman-2.1.26.orig/Mailman/Cgi/private.py
+++ mailman-2.1.26/Mailman/Cgi/private.py
@@ -155,13 +155,9 @@ def main():
if mlist.isMember(username):
mlist.MailUserPassword(username)
elif username:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- safeuser = Utils.websafe(username)
- message = Bold(FontSize('+1',
- _('No such member: %(safeuser)s.'))).Format()
- else:
+ # Not a member. Don't report address in any case. It leads to
+ # Content injection. Just log if roster is not public.
+ if mlist.private_roster != 0:
syslog('mischief',
'Reminder attempt of non-member w/ private rosters: %s',
username)

6
mailman.spec
View File

@ -3,7 +3,7 @@
Name: mailman Name: mailman
Version: 2.1.29 Version: 2.1.29
Release: 6 Release: 7
Epoch: 3 Epoch: 3
Summary: GNU Mailing List Manager Summary: GNU Mailing List Manager
License: GPLv2+ License: GPLv2+
@ -29,6 +29,7 @@ Patch21: mailman-2.1.13-env-python.patch
Patch22: mailman-2.1.15-check_perms.patch Patch22: mailman-2.1.15-check_perms.patch
Patch23: CVE-2020-12108.patch Patch23: CVE-2020-12108.patch
Patch24: CVE-2020-12137.patch Patch24: CVE-2020-12137.patch
Patch25: CVE-2020-15011.patch
BuildRequires: automake gcc python2-devel systemd python2-dns BuildRequires: automake gcc python2-devel systemd python2-dns
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -423,6 +424,9 @@ exit 0
%dir %attr(775,root,%{name}) /var/lock/%{name} %dir %attr(775,root,%{name}) /var/lock/%{name}
%changelog %changelog
* Mon Oct 25 2021 yaoxin <yaoxin30@huawei.com> - 2.1.29-7
- Fix CVE-2020-15011
* Tue Oct 19 2021 liwu <liwu13@huawei.com> - 2.1.29-6 * Tue Oct 19 2021 liwu <liwu13@huawei.com> - 2.1.29-6
- Fix CVE-2020-12108 CVE-2020-12137 - Fix CVE-2020-12108 CVE-2020-12137