File mailman-2.1.15-CVE-2018-0618.patch of Package mailman.13240
--- a/Mailman/Gui/General.py
+++ b/Mailman/Gui/General.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2013 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -447,13 +447,13 @@ class General(GUIBase):
as "the mailbox of the agent responsible for the actual
transmission of the message." Mailman replaces this header
by default with the list's bounce address.
-
+
<p>While it is debatable if Mailman is such an agent, setting
this header helps directing bounces from some broken MTAs to
the right destination. On the other hand, some mail
readers show unexpected behaviour if this header is set (like
missing addresses in forwarded mails and copies sent to the
- bounce address on reply-to-all), so it can be disabled
+ bounce address on reply-to-all), so it can be disabled
here."""))
)
@@ -511,6 +511,14 @@ mlist.info.
or not isinstance(val, IntType)):
doc.addError(_("""<b>admin_member_chunksize</b> attribute not
changed! It must be an integer > 0."""))
+ elif property == 'host_name':
+ try:
+ Utils.ValidateEmail('user@' + val)
+ except Errors.EmailAddressError:
+ doc.addError(_("""<b>host_name</b> attribute not changed!
+ It must be a valid domain name."""))
+ else:
+ GUIBase._setValue(self, mlist, property, val, doc)
else:
GUIBase._setValue(self, mlist, property, val, doc)
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -935,6 +935,7 @@ _badwords = [
'<meta',
'<object',
'<script',
+ '@keyframes',
r'\bj(?:ava)?script\b',
r'\bvbs(?:cript)?\b',
r'\bdomactivate\b',
@@ -951,12 +952,14 @@ _badwords = [
r'\bon(?:de)?activate\b',
r'\bon(?:after|before)print\b',
r'\bon(?:after|before)update\b',
+ r'\b(?:on)?animation(?:end|iteration|start)\b',
r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b',
r'\bonbeforeunload\b',
r'\bonbegin\b',
r'\bonblur\b',
r'\bonbounce\b',
r'\bonbroadcast\b',
+ r'\boncanplay(?:through)?\b',
r'\bon(?:cell)?change\b',
r'\boncheckboxstatechange\b',
r'\bon(?:dbl)?click\b',
@@ -972,7 +975,9 @@ _badwords = [
r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
r'\bondragstart\b',
r'\bondrop\b',
- r'\bonend\b',
+ r'\bondurationchange\b',
+ r'\bonemptied\b',
+ r'\bonend(?:ed)?\b',
r'\bonerror(?:update)?\b',
r'\bonfilterchange\b',
r'\bonfinish\b',
@@ -982,21 +987,28 @@ _badwords = [
r'\bonkey(?:up|down|press)\b',
r'\bonlayoutcomplete\b',
r'\bon(?:un)?load\b',
+ r'\bonloaded(?:meta)?data\b',
+ r'\bonloadstart\b',
r'\bonlosecapture\b',
r'\bonmedia(?:complete|error)\b',
+ r'\bonmessage\b',
r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b',
r'\bonmove(?:end|start)?\b',
r'\bon(?:off|on)line\b',
+ r'\bonopen\b',
r'\bonoutofsync\b',
r'\bonoverflow(?:changed)?\b',
r'\bonpage(?:hide|show)\b',
r'\bonpaint\b',
r'\bonpaste\b',
r'\bonpause\b',
+ r'\bonplay(?:ing)?\b',
+ r'\bonpopstate\b',
r'\bonpopup(?:hidden|hiding|showing|shown)\b',
r'\bonprogress\b',
r'\bonpropertychange\b',
r'\bonradiostatechange\b',
+ r'\bonratechange\b',
r'\bonreadystatechange\b',
r'\bonrepeat\b',
r'\bonreset\b',
@@ -1006,19 +1018,30 @@ _badwords = [
r'\bonrow(?:delete|enter|exit|inserted)\b',
r'\bonrows(?:delete|enter|inserted)\b',
r'\bonscroll\b',
- r'\bonseek\b',
+ r'\bonsearch\b',
+ r'\bonseek(?:ed|ing)?\b',
r'\bonselect(?:start)?\b',
r'\bonselectionchange\b',
+ r'\bonshow\b',
r'\bonstart\b',
+ r'\bonstalled\b',
r'\bonstop\b',
+ r'\bonstorage\b',
r'\bonsubmit\b',
+ r'\bonsuspend\b',
r'\bonsync(?:from|to)preference\b',
r'\bonsyncrestored\b',
r'\bontext\b',
- r'\bontimeerror\b',
+ r'\bontime(?:error|update)\b',
+ r'\bontoggle\b',
+ r'\bontouch(?:cancel|end|move|start)\b',
r'\bontrackchange\b',
+ r'\b(?:on)?transitionend\b',
r'\bonunderflow\b',
r'\bonurlflip\b',
+ r'\bonvolumechange\b',
+ r'\bonwaiting\b',
+ r'\bonwheel\b',
r'\bseeksegmenttime\b',
r'\bsvgabort\b',
r'\bsvgerror\b',
--- a/NEWS
+++ b/NEWS
@@ -266,6 +266,9 @@ Here is a history of user visible change
values for these settings result in no change from the prior release.
Bug #774588.
+ - A few more error messages have had their values HTML escaped.
+ JVN#00846677/JPCERT#97432283/CVE-2018-0618
+
i18n
- Added some missing German templates from Egon Frerich.
@@ -666,6 +669,12 @@ Here is a history of user visible change
2.1.12 (23-Feb-2009)
+ Security
+
+ - Existing protections against malicious listowners injecting evil
+ scripts into listinfo pages have had a few more checks added.
+ JVN#00846677/JPCERT#97432283/CVE-2018-0618
+
Bug fixes and other patches
- Fix compatibility with Python 2.6.
--- a/Mailman/Gui/GUIBase.py
+++ b/Mailman/Gui/GUIBase.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2002-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 2002-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -171,7 +171,8 @@ class GUIBase:
except ValueError:
doc.addError(_('Invalid value for variable: %(property)s'))
# This is the parent of MMBadEmailError and MMHostileAddress
- except Errors.EmailAddressError, error:
+ except Errors.EmailAddressError as error:
+ error = Utils.websafe(str(error))
doc.addError(
_('Bad email address for option %(property)s: %(error)s'))
else:
