svn commit: r389950 - in branches/2015Q2/japanese/mailman: . files
Xin LI
delphij at FreeBSD.org
Wed Jun 17 17:21:19 UTC 2015
Author: delphij
Date: Wed Jun 17 17:21:18 2015
New Revision: 389950
URL: https://svnweb.freebsd.org/changeset/ports/389950
Log:
MFH: r389895 (requested by tato@)
Apply patch for CVE-2015-2775.
PR: ports/200562
Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org>
Approved by: ports-secteam@
Added:
branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775
- copied unchanged from r389895, head/japanese/mailman/files/patch-CVE-2015-2775
Modified:
branches/2015Q2/japanese/mailman/Makefile
Directory Properties:
branches/2015Q2/ (props changed)
Modified: branches/2015Q2/japanese/mailman/Makefile
==============================================================================
--- branches/2015Q2/japanese/mailman/Makefile Wed Jun 17 17:20:36 2015 (r389949)
+++ branches/2015Q2/japanese/mailman/Makefile Wed Jun 17 17:21:18 2015 (r389950)
@@ -3,7 +3,7 @@
PORTNAME= mailman
PORTVERSION= 2.1.14.j7
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= japanese mail
MASTER_SITES= http://www.python.jp/doc/contrib/mailman/_static/ \
Copied: branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 (from r389895, head/japanese/mailman/files/patch-CVE-2015-2775)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 Wed Jun 17 17:21:18 2015 (r389950, copy of r389895, head/japanese/mailman/files/patch-CVE-2015-2775)
@@ -0,0 +1,15 @@
+--- Mailman/Utils.py.orig 2011-12-11 16:56:23.000000000 +0900
++++ Mailman/Utils.py 2015-06-01 13:25:26.000000000 +0900
+@@ -93,6 +93,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++ #
++ # But first ensure the list name doesn't contain a path traversal
++ # attack.
++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++ syslog('mischief', 'Hostile listname: %s', listname)
++ return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
More information about the svn-ports-branches
mailing list