[Pkg-mailman-hackers] Pkg-mailman commit - rev 680 - in trunk/debian: . patches

[Thijs Kinkhorst]

Author: thijs
Date: 2011-02-19 07:31:54 +0000 (Sat, 19 Feb 2011)
New Revision: 680

Added:
   trunk/debian/patches/80_CVE-2011-0707_confirm_xss.patch
Modified:
   trunk/debian/changelog
   trunk/debian/patches/series
Log:
Add upstream patch for CVE-2011-0707: XSS in confirmations.

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2011-02-16 19:34:34 UTC (rev 679)
+++ trunk/debian/changelog	2011-02-19 07:31:54 UTC (rev 680)
@@ -1,10 +1,11 @@
-mailman (1:2.1.14-1) UNRELEASED; urgency=low
+mailman (1:2.1.14-1) unstable; urgency=medium
 
   * New upstream release. Patches incorporated:
     - 15_mailmanctl_daemonize.patch
     - 83-CVE-2010-3089--bug599833.patch
+  * Add upstream patch for CVE-2011-0707: XSS in confirmations.
 
- -- Thijs Kinkhorst <thijs at debian.org>  Wed, 16 Feb 2011 19:38:26 +0100
+ -- Thijs Kinkhorst <thijs at debian.org>  Sat, 19 Feb 2011 08:26:43 +0100
 
 mailman (1:2.1.13-4.1) unstable; urgency=high
 

Added: trunk/debian/patches/80_CVE-2011-0707_confirm_xss.patch
===================================================================
--- trunk/debian/patches/80_CVE-2011-0707_confirm_xss.patch	                        (rev 0)
+++ trunk/debian/patches/80_CVE-2011-0707_confirm_xss.patch	2011-02-19 07:31:54 UTC (rev 680)
@@ -0,0 +1,34 @@
+Patch: 80_CVE-2011-0707_confirm_xss.patch
+Author: Mark Sapiro
+Upstream patch to address XSS in cofirmation messages. CVE-2011-0707
+
+--- a/Mailman/Cgi/confirm.py	2010-03-29 20:48:11 +0000
++++ b/Mailman/Cgi/confirm.py	2011-02-12 02:24:47 +0000
+@@ -471,7 +471,7 @@
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     table.AddRow([_("""Your confirmation is required in order to complete the
+     unsubscription request from the mailing list <em>%(listname)s</em>.  You
+     are currently subscribed with
+@@ -573,7 +573,7 @@
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     if globally:
+         globallys = _('globally')
+     else:
+@@ -814,7 +814,7 @@
+     if username is None:
+         username = _('<em>not available</em>')
+     else:
+-        username = Utils.uncanonstr(username, lang)
++        username = Utils.websafe(Utils.uncanonstr(username, lang))
+ 
+     table.AddRow([_("""Your membership in the %(realname)s mailing list is
+     currently disabled due to excessive bounces.  Your confirmation is
+

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2011-02-16 19:34:34 UTC (rev 679)
+++ trunk/debian/patches/series	2011-02-19 07:31:54 UTC (rev 680)
@@ -16,4 +16,5 @@
 71_date_overflows.patch
 74_admin_non-ascii_emails.patch
 79_archiver_slash.patch
+80_CVE-2011-0707_confirm_xss.patch
 99_js_templates.patch