Accepting request 941157 from devel:languages:python:mailman

- Add hyperkitty-fix-mistune-2.0-imports.patch ... two function
  moved in mistune 2.0 (gl#mailman/hyperkitty#379).
- Add a patch that fixes compatibility with the full release of mistune 2.0
- Update to version 1.3.5
  * https://gitlab.com/mailman/hyperkitty/-/blob/1.3.5/doc/news.rst
- Fixes CVE-2021-35057
- Removed obsolete python-HyperKitty-CVE-2021-33038.patch

OBS-URL: https://build.opensuse.org/request/show/941157
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-HyperKitty?expand=0&rev=13

HyperKitty-1.3.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f78fe0a89ece0a7b42c0c0f107ba9de40ffdb65b7ad7dd812e745c678c4570d1
-size 2385311

HyperKitty-1.3.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8269222bca481dfb9b6dbc4d766fc3e8bda8ef6d85a6dc5880835874850e9f86
+size 2488492

hyperkitty-fix-mistune-2.0-imports.patch

@@ -0,0 +1,55 @@
+From 2c3c189c9aacef3f54de2ae0f653aa13c6167093 Mon Sep 17 00:00:00 2001
+From: David Runge <dave@sleepmap.de>
+Date: Sun, 5 Dec 2021 12:39:01 +0100
+Subject: [PATCH 1/3] Fix mistune imports for mistune >= 2.0.0
+
+hyperkitty/lib/renderer.py:
+With mistune 2.0.0 the `escape_url()` and `escape_html()` are moved to
+mistune.util.
+---
+ hyperkitty/lib/renderer.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hyperkitty/lib/renderer.py b/hyperkitty/lib/renderer.py
+index cf54e7c0..96f026db 100644
+--- a/hyperkitty/lib/renderer.py
++++ b/hyperkitty/lib/renderer.py
+@@ -4,7 +4,7 @@ from django.conf import settings
+ 
+ import mistune
+ from mistune.plugins.extra import plugin_url
+-from mistune.scanner import escape_html, escape_url
++from mistune.util import escape_html, escape_url
+ 
+ 
+ class MyRenderer(mistune.HTMLRenderer):
+-- 
+GitLab
+
+
+From 0807a57860c57ebfe0542cc9d58fedf1ed5582d5 Mon Sep 17 00:00:00 2001
+From: David Runge <dave@sleepmap.de>
+Date: Sun, 5 Dec 2021 12:40:10 +0100
+Subject: [PATCH 2/3] Require mistune >= 2.0.0
+
+setup.py:
+Require mistune >= 2.0.0 to rely on a stable mistune release.
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 6cc7636e..c16294b0 100755
+--- a/setup.py
++++ b/setup.py
+@@ -45,7 +45,7 @@ REQUIRES = [
+     "pytz>=2012",
+     "django-compressor>=1.3",
+     "mailmanclient>=3.3.3",
+-    "mistune>=2.0.0rc1",
++    "mistune>=2.0.0",
+     "python-dateutil >= 2.0",
+     "networkx>=2.0",
+     "django-haystack>=2.8.0",
+-- 
+GitLab

hyperkitty-settings.patch

@@ -1,8 +1,8 @@
-Index: HyperKitty-1.3.3/example_project/settings.py
+Index: HyperKitty-1.3.5/example_project/settings.py
 ===================================================================
---- HyperKitty-1.3.3.orig/example_project/settings.py
-+++ HyperKitty-1.3.3/example_project/settings.py
-@@ -134,7 +134,7 @@ DATABASES = {
+--- HyperKitty-1.3.5.orig/example_project/settings.py	2021-10-12 23:40:25.000000000 +0200
++++ HyperKitty-1.3.5/example_project/settings.py	2021-11-17 09:36:12.809720361 +0100
+@@ -135,7 +135,7 @@ DATABASES = {
          # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
          'ENGINE': 'django.db.backends.sqlite3',
          # DB name or path to database file if using sqlite3.
@@ -11,7 +11,7 @@ Index: HyperKitty-1.3.3/example_project/settings.py
          # The following settings are not used with sqlite3:
          'USER': 'hyperkitty',
          'PASSWORD': 'hkpass',
-@@ -202,7 +202,7 @@ USE_TZ = True
+@@ -203,7 +203,7 @@ USE_TZ = True
  # Don't put anything in this directory yourself; store your static files
  # in apps' "static/" subdirectories and in STATICFILES_DIRS.
  # Example: "/var/www/example.com/static/"
@@ -20,7 +20,7 @@ Index: HyperKitty-1.3.3/example_project/settings.py
  
  # URL prefix for static files.
  # Example: "http://example.com/static/", "http://static.example.com/"
-@@ -395,7 +395,7 @@ LOGGING = {
+@@ -396,7 +396,7 @@ LOGGING = {
              'level': 'INFO',
              #'class': 'logging.handlers.RotatingFileHandler',
              'class': 'logging.handlers.WatchedFileHandler',
@@ -28,4 +28,4 @@ Index: HyperKitty-1.3.3/example_project/settings.py
 +            'filename': '/var/log/hyperkitty/hyperkitty.log',
              'formatter': 'verbose',
          },
-     },
+         'console': {

python-HyperKitty-CVE-2021-33038.patch

@@ -1,35 +0,0 @@
-Security
---------
-
-- Importing a private mailing list with ``hyperkitty_import`` will enforce
-  the visibility of the archives for the duration of the import. This fixes
-  a bug where the private archives would have public visibility during imports
-  which could lead to temporary information leakage.
-  (CVE-2021-33038, Closes #380)
-
-diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
-index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644
---- a/hyperkitty/management/commands/hyperkitty_import.py
-+++ b/hyperkitty/management/commands/hyperkitty_import.py
-@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
- from hyperkitty.lib.mailman import sync_with_mailman
- from hyperkitty.lib.utils import get_message_id
- from hyperkitty.management.utils import setup_logging
--from hyperkitty.models import Email, Thread
-+from hyperkitty.models import Email, MailingList, Thread
- 
- 
- # Allow all wierd line endings.
-@@ -338,6 +338,11 @@ class Command(BaseCommand):
-         # if (settings.DATABASES["default"]["ENGINE"]
-         #     != "django.db.backends.sqlite3":
-         #     transaction.set_autocommit(False)
-+        # Sync list settings with Mailman before importing messages:
-+        if not options["no_sync_mailman"]:
-+            mlist = MailingList.objects.get_or_create(name=list_address)[0]
-+            mlist.update_from_mailman()
-+            mlist.save()
-         settings.HYPERKITTY_BATCH_MODE = True
-         # Only import emails newer than the latest email in the DB
-         latest_email_date = Email.objects.filter(
-

python-HyperKitty.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri Dec 17 10:25:31 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add hyperkitty-fix-mistune-2.0-imports.patch ... two function
+  moved in mistune 2.0 (gl#mailman/hyperkitty#379).
+
+-------------------------------------------------------------------
+Thu Dec 16 15:11:02 UTC 2021 - Sasi Olin <hel@lcp.world>
+
+- Add a patch that fixes compatibility with the full release of mistune 2.0
+
+-------------------------------------------------------------------
+Wed Nov 17 08:30:52 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
+
+- Update to version 1.3.5
+  * https://gitlab.com/mailman/hyperkitty/-/blob/1.3.5/doc/news.rst
+- Fixes CVE-2021-35057
+- Removed obsolete python-HyperKitty-CVE-2021-33038.patch
+
 -------------------------------------------------------------------
 Wed Jun  2 18:33:55 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
 

python-HyperKitty.spec

@@ -35,7 +35,7 @@
 # mailman is built only for primary python3 flavor
 %define pythons python3
 Name:           python-HyperKitty
-Version:        1.3.4
+Version:        1.3.5
 Release:        0
 Summary:        A web interface to access GNU Mailman v3 archives
 License:        GPL-3.0-only
@@ -53,13 +53,17 @@ Source22:       hyperkitty-runjob.timer
 #
 Source30:       README.SUSE.md
 #
+# PATCH-FIX-OPENSUSE hyperkitty-settings.patch mcepl@suse.com
+# hard-code locations of configuration files
 Patch0:         hyperkitty-settings.patch
-# CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list
-Patch1:         python-HyperKitty-CVE-2021-33038.patch
+# PATCH-FIX-UPSTREAM hyperkitty-fix-mistune-2.0-imports.patch gl#mailman/hyperkitty#379 mcepl@suse.com
+# Two elements moved in mistune 2.0
+Patch1:         hyperkitty-fix-mistune-2.0-imports.patch
 #
 BuildRequires:  %{python_module django-debug-toolbar >= 2.2}
 BuildRequires:  %{python_module isort}
 BuildRequires:  %{python_module libsass}
+BuildRequires:  %{python_module mistune >= 2.0}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  acl
 BuildRequires:  fdupes
@@ -73,12 +77,13 @@ Requires:       python-django-debug-toolbar >= 2.2
 Requires:       python-django-extensions >= 1.3.7
 Requires:       python-django-gravatar2 >= 1.0.6
 Requires:       python-django-haystack >= 2.8.0
-Requires:       python-django-mailman3 >= 1.2.0
-Requires:       python-django-q >= 1.0.0
+Requires:       python-django-mailman3 >= 1.3.7
+Requires:       python-django-q >= 1.3.9
 Requires:       python-djangorestframework >= 3.0.0
 Requires:       python-flufl.lock
 Requires:       python-libsass
-Requires:       python-mailmanclient >= 3.1.1
+Requires:       python-mailmanclient >= 3.3.2
+Requires:       python-mistune
 Requires:       python-networkx >= 1.9.1
 Requires:       python-python-dateutil >= 2.0
 Requires:       python-pytz >= 2012
@@ -93,12 +98,14 @@ BuildRequires:  %{python_module django-compressor >= 1.3}
 BuildRequires:  %{python_module django-extensions >= 1.3.7}
 BuildRequires:  %{python_module django-gravatar2 >= 1.0.6}
 BuildRequires:  %{python_module django-haystack >= 2.8.0}
-BuildRequires:  %{python_module django-mailman3 >= 1.2.0}
-BuildRequires:  %{python_module django-q >= 1.0.0}
+BuildRequires:  %{python_module django-mailman3 >= 1.3.7}
+BuildRequires:  %{python_module django-q >= 1.3.9}
 BuildRequires:  %{python_module djangorestframework >= 3.0.0}
 BuildRequires:  %{python_module elasticsearch}
 BuildRequires:  %{python_module flufl.lock}
-BuildRequires:  %{python_module mailmanclient >= 3.1.1}
+BuildRequires:  %{python_module lxml}
+BuildRequires:  %{python_module mailmanclient >= 3.3.2}
+BuildRequires:  %{python_module mistune}
 BuildRequires:  %{python_module mock}
 BuildRequires:  %{python_module networkx >= 1.9.1}
 BuildRequires:  %{python_module pytest-django}