forked from pool/python-HyperKitty
Accepting request 896914 from home:pgajdos
- security update - added patches fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list + python-HyperKitty-CVE-2021-33038.patch OBS-URL: https://build.opensuse.org/request/show/896914 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:mailman/python-HyperKitty?expand=0&rev=41
This commit is contained in:
Git OBS Bridge
35
python-HyperKitty-CVE-2021-33038.patch
Normal file
35
python-HyperKitty-CVE-2021-33038.patch
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
Security
|
||||||
|
--------
|
||||||
|
|
||||||
|
- Importing a private mailing list with ``hyperkitty_import`` will enforce
|
||||||
|
the visibility of the archives for the duration of the import. This fixes
|
||||||
|
a bug where the private archives would have public visibility during imports
|
||||||
|
which could lead to temporary information leakage.
|
||||||
|
(CVE-2021-33038, Closes #380)
|
||||||
|
|
||||||
|
diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
|
||||||
|
index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644
|
||||||
|
--- a/hyperkitty/management/commands/hyperkitty_import.py
|
||||||
|
+++ b/hyperkitty/management/commands/hyperkitty_import.py
|
||||||
|
@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
|
||||||
|
from hyperkitty.lib.mailman import sync_with_mailman
|
||||||
|
from hyperkitty.lib.utils import get_message_id
|
||||||
|
from hyperkitty.management.utils import setup_logging
|
||||||
|
-from hyperkitty.models import Email, Thread
|
||||||
|
+from hyperkitty.models import Email, MailingList, Thread
|
||||||
|
|
||||||
|
|
||||||
|
# Allow all wierd line endings.
|
||||||
|
@@ -338,6 +338,11 @@ class Command(BaseCommand):
|
||||||
|
# if (settings.DATABASES["default"]["ENGINE"]
|
||||||
|
# != "django.db.backends.sqlite3":
|
||||||
|
# transaction.set_autocommit(False)
|
||||||
|
+ # Sync list settings with Mailman before importing messages:
|
||||||
|
+ if not options["no_sync_mailman"]:
|
||||||
|
+ mlist = MailingList.objects.get_or_create(name=list_address)[0]
|
||||||
|
+ mlist.update_from_mailman()
|
||||||
|
+ mlist.save()
|
||||||
|
settings.HYPERKITTY_BATCH_MODE = True
|
||||||
|
# Only import emails newer than the latest email in the DB
|
||||||
|
latest_email_date = Email.objects.filter(
|
||||||
|
|
||||||
@@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 2 12:25:48 UTC 2021 - pgajdos@suse.com
|
||||||
|
|
||||||
|
- security update
|
||||||
|
- added patches
|
||||||
|
fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list
|
||||||
|
+ python-HyperKitty-CVE-2021-33038.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed May 26 14:04:05 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
|
Wed May 26 14:04:05 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
|
||||||
|
|||||||
@@ -54,6 +54,8 @@ Source22: hyperkitty-runjob.timer
|
|||||||
Source30: README.SUSE.md
|
Source30: README.SUSE.md
|
||||||
#
|
#
|
||||||
Patch0: hyperkitty-settings.patch
|
Patch0: hyperkitty-settings.patch
|
||||||
|
# CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list
|
||||||
|
Patch1: python-HyperKitty-CVE-2021-33038.patch
|
||||||
#
|
#
|
||||||
BuildRequires: %{python_module django-debug-toolbar >= 2.2}
|
BuildRequires: %{python_module django-debug-toolbar >= 2.2}
|
||||||
BuildRequires: %{python_module isort}
|
BuildRequires: %{python_module isort}
|
||||||
|
|||||||
Reference in New Issue
Block a user