git: 4854dd90a199 - main - mail/mailman: pull in the post-2.1.39 fixes upstream...
Date: Wed, 08 Nov 2023 19:42:14 UTC
The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=4854dd90a199107cd6a94da257131e09927de3c5 commit 4854dd90a199107cd6a94da257131e09927de3c5 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-11-08 19:40:22 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-11-08 19:42:12 +0000 mail/mailman: pull in the post-2.1.39 fixes upstream... by diffing revisions 1885 (2.1.39) against 1893 in the upstream repo While here, drop USES=autoreconf, which we no longer need, and which triggers warnings from autoconf because the configure.in was developed for an older autoconf version. Bump PORTREVISION to 2. --- mail/mailman/Makefile | 4 +- mail/mailman/files/patch-0-r1885-r1893 | 195 +++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+), 2 deletions(-) diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index 65c8df3f485a..ecf88cdd7569 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -1,6 +1,6 @@ PORTNAME= mailman DISTVERSION= 2.1.39 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail MASTER_SITES= GNU \ SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \ @@ -17,7 +17,7 @@ WWW= https://www.list.org/ LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/gnu-COPYING-GPL -USES= autoreconf cpe fakeroot python:2.7 shebangfix tar:tgz +USES= cpe fakeroot python:2.7 shebangfix tar:tgz CPE_VENDOR= gnu USE_RC_SUBR= mailman diff --git a/mail/mailman/files/patch-0-r1885-r1893 b/mail/mailman/files/patch-0-r1885-r1893 new file mode 100644 index 000000000000..fbcde7e7f206 --- /dev/null +++ b/mail/mailman/files/patch-0-r1885-r1893 @@ -0,0 +1,195 @@ +This is a patch generated by unpacking +https://bazaar.launchpad.net/tarball/1885 +https://bazaar.launchpad.net/tarball/1893 +as .tgz tarballs into separate directories and diffing it +with GNU diff -NEur: + +diff -NEur bin/cleanarch bin/cleanarch +--- bin/cleanarch 2018-06-18 01:47:34.744000000 +0200 ++++ bin/cleanarch 2022-01-11 04:08:45.300000000 +0100 +@@ -60,7 +60,7 @@ + # From RFC 2822, a header field name must contain only characters from 33-126 + # inclusive, excluding colon. I.e. from oct 41 to oct 176 less oct 072. Must + # use re.match() so that it's anchored at the beginning of the line. +-fre = re.compile(r'[\041-\071\073-\176]+') ++fre = re.compile(r'[\041-\071\073-\176]+:') + + + +diff -NEur Mailman/Cgi/options.py Mailman/Cgi/options.py +--- Mailman/Cgi/options.py 2021-11-24 04:38:19.869000000 +0100 ++++ Mailman/Cgi/options.py 2023-05-22 21:58:09.582000000 +0200 +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2023 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -164,13 +164,40 @@ + loginpage(mlist, doc, None, language) + print doc.Format() + return +- # Sanity check the user, but only give the "no such member" error when +- # using public rosters, otherwise, we'll leak membership information. ++ # Sanity check the user, but we have to give the appropriate error msg ++ # to not potentially leak membership info. This is a kludge here. We ++ # have to check membership here to avoid LP: #1951769, but then we have ++ # to give the appropriate error to avoid LP: #1968443 ++ msgc = _('If you are a list member, a confirmation email has been sent.') ++ msgb = _('You already have a subscription pending confirmation') ++ msga = _("""If you are a list member, your unsubscription request has been ++ forwarded to the list administrator for approval.""") ++ msgd = _("""If you are a list member, ++ your password has been emailed to you.""") + if not mlist.isMember(user): + if mlist.private_roster == 0: + doc.addError(_('No such member: %(safeuser)s.')) +- loginpage(mlist, doc, None, language) +- print doc.Format() ++ user = None ++ elif cgidata.has_key('login-unsub'): ++ syslog('mischief', ++ 'Unsub attempt of non-member w/ private rosters: %s', ++ user) ++ if mlist.unsubscribe_policy: ++ doc.addError(msga, tag='') ++ else: ++ doc.addError(msgc, tag='') ++ user = None ++ elif cgidata.has_key('login-remind'): ++ syslog('mischief', ++ 'Reminder attempt of non-member w/ private rosters: %s', ++ user) ++ doc.addError(msgd, tag='') ++ user = None ++ # We get here with a non-None user in the case of a non-member with ++ # private rosters. This creates a possible membership leak, but we ++ # fix that a different way. See LP: #2017813. ++ loginpage(mlist, doc, user, language) ++ print doc.Format() + return + + # Avoid cross-site scripting attacks +@@ -204,10 +231,6 @@ + i18n.set_language(userlang) + + # Are we processing an unsubscription request from the login screen? +- msgc = _('If you are a list member, a confirmation email has been sent.') +- msgb = _('You already have a subscription pending confirmation') +- msga = _("""If you are a list member, your unsubscription request has been +- forwarded to the list administrator for approval.""") + if cgidata.has_key('login-unsub'): + # Because they can't supply a password for unsubscribing, we'll need + # to do the confirmation dance. +@@ -233,39 +256,20 @@ + finally: + mlist.Unlock() + else: +- # Not a member +- if mlist.private_roster == 0: +- # Public rosters +- doc.addError(_('No such member: %(safeuser)s.')) +- else: +- syslog('mischief', +- 'Unsub attempt of non-member w/ private rosters: %s', +- user) +- if mlist.unsubscribe_policy: +- doc.addError(msga, tag='') +- else: +- doc.addError(msgc, tag='') ++ # Not a member handled above. ++ pass + loginpage(mlist, doc, user, language) + print doc.Format() + return + + # Are we processing a password reminder from the login screen? +- msg = _("""If you are a list member, +- your password has been emailed to you.""") + if cgidata.has_key('login-remind'): + if mlist.isMember(user): + mlist.MailUserPassword(user) +- doc.addError(msg, tag='') ++ doc.addError(msgd, tag='') + else: +- # Not a member +- if mlist.private_roster == 0: +- # Public rosters +- doc.addError(_('No such member: %(safeuser)s.')) +- else: +- syslog('mischief', +- 'Reminder attempt of non-member w/ private rosters: %s', +- user) +- doc.addError(msg, tag='') ++ # Not a member handled above. ++ pass + loginpage(mlist, doc, user, language) + print doc.Format() + return +@@ -293,7 +297,9 @@ + # to authenticate via cgi (instead of cookie), then print an error + # message. + if cgidata.has_key('password'): +- doc.addError(_('Authentication failed.')) ++ if mlist.private_roster == 0: ++ # Only add error with public rosters lp: #2015416 ++ doc.addError(_('Authentication failed.')) + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', +@@ -307,9 +313,11 @@ + syslog('mischief', + 'Login failure with private rosters: %s from %s', + user, remote) +- user = None ++ # Don't clear user here. See LP: #2017813. + # give an HTTP 401 for authentication failure +- print 'Status: 401 Unauthorized' ++ if mlist.private_roster == 0: ++ # Only add error with public rosters lp: #2015416 ++ print 'Status: 401 Unauthorized' + loginpage(mlist, doc, user, language) + print doc.Format() + return +diff -NEur messages/de/LC_MESSAGES/mailman.po messages/de/LC_MESSAGES/mailman.po +--- messages/de/LC_MESSAGES/mailman.po 2020-06-27 02:12:17.548000000 +0200 ++++ messages/de/LC_MESSAGES/mailman.po 2022-03-29 01:55:20.774000000 +0200 +@@ -4577,7 +4577,7 @@ + + #: Mailman/Defaults.py:1809 + msgid "Esperanto" +-msgstr "Deutsch" ++msgstr "Esperanto" + + # Mailman/Defaults.py:773 + #: Mailman/Defaults.py:1810 +diff -NEur NEWS NEWS +--- NEWS 2021-12-13 21:36:11.555000000 +0100 ++++ NEWS 2023-05-22 21:58:09.582000000 +0200 +@@ -5,6 +5,26 @@ + + Here is a history of user visible changes to Mailman. + ++2.1.40 (xx-xxx-xxxx) ++ ++ i18n ++ ++ - The German translation of `Esperanto` is fixed. (LP: #1966685) ++ ++ Bug Fixes and other patches ++ ++ - Test for a valid header following a Unix From_ line in bin/cleanarch ++ has been improved. (LP: #1957025) ++ - A 500 Internal Server Error when requesting the options page for a ++ non-member address on a list with private rosters is avoided. ++ (LP: #1961762) ++ - A possible list membership leak via the user options CGI is fixed. ++ (LP: #1968443) ++ - Another possible list membership leak via the user options CGI is fixed. ++ (LP: #2015416) ++ - Yet another possible list membership leak via the user options CGI is ++ fixed. (LP: #2017813) ++ + 2.1.39 (13-Dec-2021) + + Bug Fixes and other patches