From d9cfa22dc436e0694eb8ef8d24dd605004a7b9328de5b1a01d13fab7596922f0 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 2 Jun 2021 16:18:37 +0000 Subject: [PATCH] Accepting request 896914 from home:pgajdos - security update - added patches fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list + python-HyperKitty-CVE-2021-33038.patch OBS-URL: https://build.opensuse.org/request/show/896914 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:mailman/python-HyperKitty?expand=0&rev=41 --- python-HyperKitty-CVE-2021-33038.patch | 35 ++++++++++++++++++++++++++ python-HyperKitty.changes | 8 ++++++ python-HyperKitty.spec | 2 ++ 3 files changed, 45 insertions(+) create mode 100644 python-HyperKitty-CVE-2021-33038.patch diff --git a/python-HyperKitty-CVE-2021-33038.patch b/python-HyperKitty-CVE-2021-33038.patch new file mode 100644 index 0000000..0483ba6 --- /dev/null +++ b/python-HyperKitty-CVE-2021-33038.patch @@ -0,0 +1,35 @@ +Security +-------- + +- Importing a private mailing list with ``hyperkitty_import`` will enforce + the visibility of the archives for the duration of the import. This fixes + a bug where the private archives would have public visibility during imports + which could lead to temporary information leakage. + (CVE-2021-33038, Closes #380) + +diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py +index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644 +--- a/hyperkitty/management/commands/hyperkitty_import.py ++++ b/hyperkitty/management/commands/hyperkitty_import.py +@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list + from hyperkitty.lib.mailman import sync_with_mailman + from hyperkitty.lib.utils import get_message_id + from hyperkitty.management.utils import setup_logging +-from hyperkitty.models import Email, Thread ++from hyperkitty.models import Email, MailingList, Thread + + + # Allow all wierd line endings. +@@ -338,6 +338,11 @@ class Command(BaseCommand): + # if (settings.DATABASES["default"]["ENGINE"] + # != "django.db.backends.sqlite3": + # transaction.set_autocommit(False) ++ # Sync list settings with Mailman before importing messages: ++ if not options["no_sync_mailman"]: ++ mlist = MailingList.objects.get_or_create(name=list_address)[0] ++ mlist.update_from_mailman() ++ mlist.save() + settings.HYPERKITTY_BATCH_MODE = True + # Only import emails newer than the latest email in the DB + latest_email_date = Email.objects.filter( + diff --git a/python-HyperKitty.changes b/python-HyperKitty.changes index fdcf585..b9f4ef4 100644 --- a/python-HyperKitty.changes +++ b/python-HyperKitty.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Jun 2 12:25:48 UTC 2021 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list + + python-HyperKitty-CVE-2021-33038.patch + ------------------------------------------------------------------- Wed May 26 14:04:05 UTC 2021 - Andreas Schneider diff --git a/python-HyperKitty.spec b/python-HyperKitty.spec index 65d3365..68ed32b 100644 --- a/python-HyperKitty.spec +++ b/python-HyperKitty.spec @@ -54,6 +54,8 @@ Source22: hyperkitty-runjob.timer Source30: README.SUSE.md # Patch0: hyperkitty-settings.patch +# CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list +Patch1: python-HyperKitty-CVE-2021-33038.patch # BuildRequires: %{python_module django-debug-toolbar >= 2.2} BuildRequires: %{python_module isort}