rpm/python-HyperKitty
SHA256
1
0
Fork 0
forked from pool/python-HyperKitty
Code Pull Requests Activity

Accepting request 896957 from devel:languages:python:mailman

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/896957
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-HyperKitty?expand=0&rev=11
This commit is contained in:
Dominique Leuenberger
2021-06-02 20:12:26 +00:00
committed by Git OBS Bridge
parent 188a557e07 d9cfa22dc4
commit 93e43108a6
3 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
python-HyperKitty-CVE-2021-33038.patch Normal file
View File

@@ -0,0 +1,35 @@
Security
--------
- Importing a private mailing list with ``hyperkitty_import`` will enforce
the visibility of the archives for the duration of the import. This fixes
a bug where the private archives would have public visibility during imports
which could lead to temporary information leakage.
(CVE-2021-33038, Closes #380)
diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644
--- a/hyperkitty/management/commands/hyperkitty_import.py
+++ b/hyperkitty/management/commands/hyperkitty_import.py
@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
from hyperkitty.lib.mailman import sync_with_mailman
from hyperkitty.lib.utils import get_message_id
from hyperkitty.management.utils import setup_logging
-from hyperkitty.models import Email, Thread
+from hyperkitty.models import Email, MailingList, Thread
# Allow all wierd line endings.
@@ -338,6 +338,11 @@ class Command(BaseCommand):
# if (settings.DATABASES["default"]["ENGINE"]
# != "django.db.backends.sqlite3":
# transaction.set_autocommit(False)
+ # Sync list settings with Mailman before importing messages:
+ if not options["no_sync_mailman"]:
+ mlist = MailingList.objects.get_or_create(name=list_address)[0]
+ mlist.update_from_mailman()
+ mlist.save()
settings.HYPERKITTY_BATCH_MODE = True
# Only import emails newer than the latest email in the DB
latest_email_date = Email.objects.filter(

8
python-HyperKitty.changes
View File

@@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Jun 2 12:25:48 UTC 2021 - pgajdos@suse.com
- security update
- added patches
fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list
+ python-HyperKitty-CVE-2021-33038.patch
-------------------------------------------------------------------
Wed May 26 14:04:05 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>

2
python-HyperKitty.spec
View File

@@ -54,6 +54,8 @@ Source22: hyperkitty-runjob.timer
Source30: README.SUSE.md
#
Patch0: hyperkitty-settings.patch
# CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list
Patch1: python-HyperKitty-CVE-2021-33038.patch
#
BuildRequires: %{python_module django-debug-toolbar >= 2.2}
BuildRequires: %{python_module isort}