[Pkg-mailman-hackers] Pkg-mailman commit - rev 772 - in branches/squeeze/debian: . patches

Thijs Kinkhorst thijs at moszumanska.debian.org
Mon Apr 6 16:30:07 UTC 2015 

Author: thijs
Date: 2015-04-06 16:30:07 +0000 (Mon, 06 Apr 2015)
New Revision: 772

Added:
   branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch
Modified:
   branches/squeeze/debian/changelog
   branches/squeeze/debian/patches/series
Log:
pending from 2011: 1:2.1.13-5


Modified: branches/squeeze/debian/changelog
===================================================================
--- branches/squeeze/debian/changelog	2015-04-06 16:28:01 UTC (rev 771)
+++ branches/squeeze/debian/changelog	2015-04-06 16:30:07 UTC (rev 772)
@@ -1,3 +1,10 @@
+mailman (1:2.1.13-5) stable-security; urgency=high
+
+  * Upload to stable to fix security issue.
+  * CVE-2011-0707: Cross site scripting in subscriber names.
+
+ -- Thijs Kinkhorst <thijs at debian.org>  Wed, 16 Feb 2011 20:36:49 +0100
+
 mailman (1:2.1.13-4.1) unstable; urgency=high
 
   * Non-maintainer upload.

Added: branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch
===================================================================
--- branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch	                        (rev 0)
+++ branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch	2015-04-06 16:30:07 UTC (rev 772)
@@ -0,0 +1,30 @@
+--- a/Mailman/Cgi/confirm.py	2010-03-29 20:48:11 +0000
++++ b/Mailman/Cgi/confirm.py	2011-02-12 02:24:47 +0000
+@@ -471,7 +471,7 @@
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     table.AddRow([_("""Your confirmation is required in order to complete the
+     unsubscription request from the mailing list <em>%(listname)s</em>.  You
+     are currently subscribed with
+@@ -573,7 +573,7 @@
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     if globally:
+         globallys = _('globally')
+     else:
+@@ -814,7 +814,7 @@
+     if username is None:
+         username = _('<em>not available</em>')
+     else:
+-        username = Utils.uncanonstr(username, lang)
++        username = Utils.websafe(Utils.uncanonstr(username, lang))
+ 
+     table.AddRow([_("""Your membership in the %(realname)s mailing list is
+     currently disabled due to excessive bounces.  Your confirmation is
+

Modified: branches/squeeze/debian/patches/series
===================================================================
--- branches/squeeze/debian/patches/series	2015-04-06 16:28:01 UTC (rev 771)
+++ branches/squeeze/debian/patches/series	2015-04-06 16:30:07 UTC (rev 772)
@@ -19,4 +19,5 @@
 74_admin_non-ascii_emails.patch
 79_archiver_slash.patch
 83-CVE-2010-3089--bug599833.patch
+83_CVE-2011-0707_xss.patch
 99_js_templates.patch

More information about the Pkg-mailman-hackers mailing list