From nobody Wed Nov 08 19:42:14 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQb871gnqz4yrfl; Wed, 8 Nov 2023 19:42:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQb871Cx3z3gr8; Wed, 8 Nov 2023 19:42:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699472535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HHawhDO+R7NBU+FStzS1NVTsdkMBWI5S+nEirfMOe1U=; b=PwX9KAuFdrP0IFan89qi/WvknSk+Lde+dmz49Nc5OtGqU1hPCy1O4F/w+/Lb2+f5pOh/7k DhtZWUpWUsDAfH6Txj7hjo9tzhq6bkPYXe3442k0/sLBrNR//dK/FcbsQJQO/CXJ8ra90p ziFC5a4x0T3dIZBKAQ9Nphz+ROBcUfsCbMKe51pz8bFiypauNOYh5CRAWU6wa70eaeV4jf JBRQdYtWsslNOV82SkRIp7H/CqoP4N5cchOimNfA8IdwMGc+CQDVt5FsuLw/P7OMUvbAde DqdkrdgSPJIH/gkMUt2ve05rIftwXXe5WmHn42VCXO35/AIhew4s5Bsq/x7TkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699472535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HHawhDO+R7NBU+FStzS1NVTsdkMBWI5S+nEirfMOe1U=; b=pfm0+xQQ+uwI5wMlZe/KY+cr51dDVws/Ms6qnAXjhI1jhUWrwYoifgjZPTxazd9pIp/NTT mvVrR9prsglXBtpL3TplVpSZR41L5osegilvrxIMt17sn78s2NVE2d1q8oLDS+gSXhWltE QnKzBq9XG1/mjadWQuNGDyVrm8dr8zJJdsSsY9bOSqszXCa4bx7Qmsf2qleZYvyNRGQNlp KG2w7r5fVeCuMObAQ158xWptRsFacbmjN9X++MvIlZlnautOvQsOqr4AbUlYnwBpr64K2I j2S2fwZJP4wizIGpjO1n9pI70TGHwZSVrJBSeUNyvTfPKwWGHCtz4Bv+dxlE8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699472535; a=rsa-sha256; cv=none; b=NxJZZAY4+ZAWLAUIUdNG66tsSlYiS9AcIBCpWMAcfd4CELbyL/QPPm9/yppOw1IOYNTFQz xfuSjZvOgyKmz9u394blRoMbIq+xsoXN1v5DxT1ICv72O+iol6hKcKG7xRKWacOgIbIk93 iVrZ3l9sP93NIG7PRqCAwwkZS4Jb1A86hJWrylz8b8ydyLK4rbpPfQSADWOBmvVaqwQ9vE Iebie9b+Sz1mz+zyvxG/0Y/TZReKZpCpin2JbSI6VMMrX97vu0c1AcirZNz0kCt44NEact GdLiIQZwwDTE1Q2dhIyjAcYoCMrG8MTRlXY/7dqRNkp+1JJP7EMDcBgOE7I2Pw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SQb870HZhzmBy; Wed, 8 Nov 2023 19:42:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3A8JgE2F079097; Wed, 8 Nov 2023 19:42:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3A8JgEXS079095; Wed, 8 Nov 2023 19:42:14 GMT (envelope-from git) Date: Wed, 8 Nov 2023 19:42:14 GMT Message-Id: <202311081942.3A8JgEXS079095@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 4854dd90a199 - main - mail/mailman: pull in the post-2.1.39 fixes upstream... List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4854dd90a199107cd6a94da257131e09927de3c5 Auto-Submitted: auto-generated The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=4854dd90a199107cd6a94da257131e09927de3c5 commit 4854dd90a199107cd6a94da257131e09927de3c5 Author: Matthias Andree AuthorDate: 2023-11-08 19:40:22 +0000 Commit: Matthias Andree CommitDate: 2023-11-08 19:42:12 +0000 mail/mailman: pull in the post-2.1.39 fixes upstream... by diffing revisions 1885 (2.1.39) against 1893 in the upstream repo While here, drop USES=autoreconf, which we no longer need, and which triggers warnings from autoconf because the configure.in was developed for an older autoconf version. Bump PORTREVISION to 2. --- mail/mailman/Makefile | 4 +- mail/mailman/files/patch-0-r1885-r1893 | 195 +++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+), 2 deletions(-) diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index 65c8df3f485a..ecf88cdd7569 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -1,6 +1,6 @@ PORTNAME= mailman DISTVERSION= 2.1.39 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail MASTER_SITES= GNU \ SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \ @@ -17,7 +17,7 @@ WWW= https://www.list.org/ LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/gnu-COPYING-GPL -USES= autoreconf cpe fakeroot python:2.7 shebangfix tar:tgz +USES= cpe fakeroot python:2.7 shebangfix tar:tgz CPE_VENDOR= gnu USE_RC_SUBR= mailman diff --git a/mail/mailman/files/patch-0-r1885-r1893 b/mail/mailman/files/patch-0-r1885-r1893 new file mode 100644 index 000000000000..fbcde7e7f206 --- /dev/null +++ b/mail/mailman/files/patch-0-r1885-r1893 @@ -0,0 +1,195 @@ +This is a patch generated by unpacking +https://bazaar.launchpad.net/tarball/1885 +https://bazaar.launchpad.net/tarball/1893 +as .tgz tarballs into separate directories and diffing it +with GNU diff -NEur: + +diff -NEur bin/cleanarch bin/cleanarch +--- bin/cleanarch 2018-06-18 01:47:34.744000000 +0200 ++++ bin/cleanarch 2022-01-11 04:08:45.300000000 +0100 +@@ -60,7 +60,7 @@ + # From RFC 2822, a header field name must contain only characters from 33-126 + # inclusive, excluding colon. I.e. from oct 41 to oct 176 less oct 072. Must + # use re.match() so that it's anchored at the beginning of the line. +-fre = re.compile(r'[\041-\071\073-\176]+') ++fre = re.compile(r'[\041-\071\073-\176]+:') + + + +diff -NEur Mailman/Cgi/options.py Mailman/Cgi/options.py +--- Mailman/Cgi/options.py 2021-11-24 04:38:19.869000000 +0100 ++++ Mailman/Cgi/options.py 2023-05-22 21:58:09.582000000 +0200 +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2023 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -164,13 +164,40 @@ + loginpage(mlist, doc, None, language) + print doc.Format() + return +- # Sanity check the user, but only give the "no such member" error when +- # using public rosters, otherwise, we'll leak membership information. ++ # Sanity check the user, but we have to give the appropriate error msg ++ # to not potentially leak membership info. This is a kludge here. We ++ # have to check membership here to avoid LP: #1951769, but then we have ++ # to give the appropriate error to avoid LP: #1968443 ++ msgc = _('If you are a list member, a confirmation email has been sent.') ++ msgb = _('You already have a subscription pending confirmation') ++ msga = _("""If you are a list member, your unsubscription request has been ++ forwarded to the list administrator for approval.""") ++ msgd = _("""If you are a list member, ++ your password has been emailed to you.""") + if not mlist.isMember(user): + if mlist.private_roster == 0: + doc.addError(_('No such member: %(safeuser)s.')) +- loginpage(mlist, doc, None, language) +- print doc.Format() ++ user = None ++ elif cgidata.has_key('login-unsub'): ++ syslog('mischief', ++ 'Unsub attempt of non-member w/ private rosters: %s', ++ user) ++ if mlist.unsubscribe_policy: ++ doc.addError(msga, tag='') ++ else: ++ doc.addError(msgc, tag='') ++ user = None ++ elif cgidata.has_key('login-remind'): ++ syslog('mischief', ++ 'Reminder attempt of non-member w/ private rosters: %s', ++ user) ++ doc.addError(msgd, tag='') ++ user = None ++ # We get here with a non-None user in the case of a non-member with ++ # private rosters. This creates a possible membership leak, but we ++ # fix that a different way. See LP: #2017813. ++ loginpage(mlist, doc, user, language) ++ print doc.Format() + return + + # Avoid cross-site scripting attacks +@@ -204,10 +231,6 @@ + i18n.set_language(userlang) + + # Are we processing an unsubscription request from the login screen? +- msgc = _('If you are a list member, a confirmation email has been sent.') +- msgb = _('You already have a subscription pending confirmation') +- msga = _("""If you are a list member, your unsubscription request has been +- forwarded to the list administrator for approval.""") + if cgidata.has_key('login-unsub'): + # Because they can't supply a password for unsubscribing, we'll need + # to do the confirmation dance. +@@ -233,39 +256,20 @@ + finally: + mlist.Unlock() + else: +- # Not a member +- if mlist.private_roster == 0: +- # Public rosters +- doc.addError(_('No such member: %(safeuser)s.')) +- else: +- syslog('mischief', +- 'Unsub attempt of non-member w/ private rosters: %s', +- user) +- if mlist.unsubscribe_policy: +- doc.addError(msga, tag='') +- else: +- doc.addError(msgc, tag='') ++ # Not a member handled above. ++ pass + loginpage(mlist, doc, user, language) + print doc.Format() + return + + # Are we processing a password reminder from the login screen? +- msg = _("""If you are a list member, +- your password has been emailed to you.""") + if cgidata.has_key('login-remind'): + if mlist.isMember(user): + mlist.MailUserPassword(user) +- doc.addError(msg, tag='') ++ doc.addError(msgd, tag='') + else: +- # Not a member +- if mlist.private_roster == 0: +- # Public rosters +- doc.addError(_('No such member: %(safeuser)s.')) +- else: +- syslog('mischief', +- 'Reminder attempt of non-member w/ private rosters: %s', +- user) +- doc.addError(msg, tag='') ++ # Not a member handled above. ++ pass + loginpage(mlist, doc, user, language) + print doc.Format() + return +@@ -293,7 +297,9 @@ + # to authenticate via cgi (instead of cookie), then print an error + # message. + if cgidata.has_key('password'): +- doc.addError(_('Authentication failed.')) ++ if mlist.private_roster == 0: ++ # Only add error with public rosters lp: #2015416 ++ doc.addError(_('Authentication failed.')) + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', +@@ -307,9 +313,11 @@ + syslog('mischief', + 'Login failure with private rosters: %s from %s', + user, remote) +- user = None ++ # Don't clear user here. See LP: #2017813. + # give an HTTP 401 for authentication failure +- print 'Status: 401 Unauthorized' ++ if mlist.private_roster == 0: ++ # Only add error with public rosters lp: #2015416 ++ print 'Status: 401 Unauthorized' + loginpage(mlist, doc, user, language) + print doc.Format() + return +diff -NEur messages/de/LC_MESSAGES/mailman.po messages/de/LC_MESSAGES/mailman.po +--- messages/de/LC_MESSAGES/mailman.po 2020-06-27 02:12:17.548000000 +0200 ++++ messages/de/LC_MESSAGES/mailman.po 2022-03-29 01:55:20.774000000 +0200 +@@ -4577,7 +4577,7 @@ + + #: Mailman/Defaults.py:1809 + msgid "Esperanto" +-msgstr "Deutsch" ++msgstr "Esperanto" + + # Mailman/Defaults.py:773 + #: Mailman/Defaults.py:1810 +diff -NEur NEWS NEWS +--- NEWS 2021-12-13 21:36:11.555000000 +0100 ++++ NEWS 2023-05-22 21:58:09.582000000 +0200 +@@ -5,6 +5,26 @@ + + Here is a history of user visible changes to Mailman. + ++2.1.40 (xx-xxx-xxxx) ++ ++ i18n ++ ++ - The German translation of `Esperanto` is fixed. (LP: #1966685) ++ ++ Bug Fixes and other patches ++ ++ - Test for a valid header following a Unix From_ line in bin/cleanarch ++ has been improved. (LP: #1957025) ++ - A 500 Internal Server Error when requesting the options page for a ++ non-member address on a list with private rosters is avoided. ++ (LP: #1961762) ++ - A possible list membership leak via the user options CGI is fixed. ++ (LP: #1968443) ++ - Another possible list membership leak via the user options CGI is fixed. ++ (LP: #2015416) ++ - Yet another possible list membership leak via the user options CGI is ++ fixed. (LP: #2017813) ++ + 2.1.39 (13-Dec-2021) + + Bug Fixes and other patches