[Pkg-mailman-hackers] Pkg-mailman commit - rev 772 - in branches/squeeze/debian: . patches
Thijs Kinkhorst
thijs at moszumanska.debian.org
Mon Apr 6 16:30:07 UTC 2015
Author: thijs
Date: 2015-04-06 16:30:07 +0000 (Mon, 06 Apr 2015)
New Revision: 772
Added:
branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch
Modified:
branches/squeeze/debian/changelog
branches/squeeze/debian/patches/series
Log:
pending from 2011: 1:2.1.13-5
Modified: branches/squeeze/debian/changelog
===================================================================
--- branches/squeeze/debian/changelog 2015-04-06 16:28:01 UTC (rev 771)
+++ branches/squeeze/debian/changelog 2015-04-06 16:30:07 UTC (rev 772)
@@ -1,3 +1,10 @@
+mailman (1:2.1.13-5) stable-security; urgency=high
+
+ * Upload to stable to fix security issue.
+ * CVE-2011-0707: Cross site scripting in subscriber names.
+
+ -- Thijs Kinkhorst <thijs at debian.org> Wed, 16 Feb 2011 20:36:49 +0100
+
mailman (1:2.1.13-4.1) unstable; urgency=high
* Non-maintainer upload.
Added: branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch
===================================================================
--- branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch (rev 0)
+++ branches/squeeze/debian/patches/83_CVE-2011-0707_xss.patch 2015-04-06 16:30:07 UTC (rev 772)
@@ -0,0 +1,30 @@
+--- a/Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +0000
++++ b/Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +0000
+@@ -471,7 +471,7 @@
+ if fullname is None:
+ fullname = _('<em>Not available</em>')
+ else:
+- fullname = Utils.uncanonstr(fullname, lang)
++ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+ table.AddRow([_("""Your confirmation is required in order to complete the
+ unsubscription request from the mailing list <em>%(listname)s</em>. You
+ are currently subscribed with
+@@ -573,7 +573,7 @@
+ if fullname is None:
+ fullname = _('<em>Not available</em>')
+ else:
+- fullname = Utils.uncanonstr(fullname, lang)
++ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+ if globally:
+ globallys = _('globally')
+ else:
+@@ -814,7 +814,7 @@
+ if username is None:
+ username = _('<em>not available</em>')
+ else:
+- username = Utils.uncanonstr(username, lang)
++ username = Utils.websafe(Utils.uncanonstr(username, lang))
+
+ table.AddRow([_("""Your membership in the %(realname)s mailing list is
+ currently disabled due to excessive bounces. Your confirmation is
+
Modified: branches/squeeze/debian/patches/series
===================================================================
--- branches/squeeze/debian/patches/series 2015-04-06 16:28:01 UTC (rev 771)
+++ branches/squeeze/debian/patches/series 2015-04-06 16:30:07 UTC (rev 772)
@@ -19,4 +19,5 @@
74_admin_non-ascii_emails.patch
79_archiver_slash.patch
83-CVE-2010-3089--bug599833.patch
+83_CVE-2011-0707_xss.patch
99_js_templates.patch
More information about the Pkg-mailman-hackers
mailing list