Date: Wed, 17 Jun 2015 00:44:49 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r389895 - in head/japanese/mailman: . files Message-ID: <201506170044.t5H0inbU013632@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Jun 17 00:44:48 2015 New Revision: 389895 URL: https://svnweb.freebsd.org/changeset/ports/389895 Log: Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: maintainer timeout Added: head/japanese/mailman/files/patch-CVE-2015-2775 (contents, props changed) Modified: head/japanese/mailman/Makefile Modified: head/japanese/mailman/Makefile ============================================================================== --- head/japanese/mailman/Makefile Wed Jun 17 00:24:46 2015 (r389894) +++ head/japanese/mailman/Makefile Wed Jun 17 00:44:48 2015 (r389895) @@ -3,7 +3,7 @@ PORTNAME= mailman PORTVERSION= 2.1.14.j7 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= japanese mail MASTER_SITES= http://www.python.jp/doc/contrib/mailman/_static/ \ Added: head/japanese/mailman/files/patch-CVE-2015-2775 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/japanese/mailman/files/patch-CVE-2015-2775 Wed Jun 17 00:44:48 2015 (r389895) @@ -0,0 +1,15 @@ +--- Mailman/Utils.py.orig 2011-12-11 16:56:23.000000000 +0900 ++++ Mailman/Utils.py 2015-06-01 13:25:26.000000000 +0900 +@@ -93,6 +93,12 @@ + # + # The former two are for 2.1alpha3 and beyond, while the latter two are + # for all earlier versions. ++ # ++ # But first ensure the list name doesn't contain a path traversal ++ # attack. ++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: ++ syslog('mischief', 'Hostile listname: %s', listname) ++ return False + basepath = Site.get_listpath(listname) + for ext in ('.pck', '.pck.last', '.db', '.db.last'): + dbfile = os.path.join(basepath, 'config' + ext)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506170044.t5H0inbU013632>