diff --git a/HyperKitty-1.3.4.tar.gz b/HyperKitty-1.3.4.tar.gz deleted file mode 100644 index 913eea7..0000000 --- a/HyperKitty-1.3.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f78fe0a89ece0a7b42c0c0f107ba9de40ffdb65b7ad7dd812e745c678c4570d1 -size 2385311 diff --git a/HyperKitty-1.3.5.tar.gz b/HyperKitty-1.3.5.tar.gz new file mode 100644 index 0000000..c24ebef --- /dev/null +++ b/HyperKitty-1.3.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8269222bca481dfb9b6dbc4d766fc3e8bda8ef6d85a6dc5880835874850e9f86 +size 2488492 diff --git a/hyperkitty-fix-mistune-2.0-imports.patch b/hyperkitty-fix-mistune-2.0-imports.patch new file mode 100644 index 0000000..78da6a6 --- /dev/null +++ b/hyperkitty-fix-mistune-2.0-imports.patch @@ -0,0 +1,55 @@ +From 2c3c189c9aacef3f54de2ae0f653aa13c6167093 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Sun, 5 Dec 2021 12:39:01 +0100 +Subject: [PATCH 1/3] Fix mistune imports for mistune >= 2.0.0 + +hyperkitty/lib/renderer.py: +With mistune 2.0.0 the `escape_url()` and `escape_html()` are moved to +mistune.util. +--- + hyperkitty/lib/renderer.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hyperkitty/lib/renderer.py b/hyperkitty/lib/renderer.py +index cf54e7c0..96f026db 100644 +--- a/hyperkitty/lib/renderer.py ++++ b/hyperkitty/lib/renderer.py +@@ -4,7 +4,7 @@ from django.conf import settings + + import mistune + from mistune.plugins.extra import plugin_url +-from mistune.scanner import escape_html, escape_url ++from mistune.util import escape_html, escape_url + + + class MyRenderer(mistune.HTMLRenderer): +-- +GitLab + + +From 0807a57860c57ebfe0542cc9d58fedf1ed5582d5 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Sun, 5 Dec 2021 12:40:10 +0100 +Subject: [PATCH 2/3] Require mistune >= 2.0.0 + +setup.py: +Require mistune >= 2.0.0 to rely on a stable mistune release. +--- + setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 6cc7636e..c16294b0 100755 +--- a/setup.py ++++ b/setup.py +@@ -45,7 +45,7 @@ REQUIRES = [ + "pytz>=2012", + "django-compressor>=1.3", + "mailmanclient>=3.3.3", +- "mistune>=2.0.0rc1", ++ "mistune>=2.0.0", + "python-dateutil >= 2.0", + "networkx>=2.0", + "django-haystack>=2.8.0", +-- +GitLab diff --git a/hyperkitty-settings.patch b/hyperkitty-settings.patch index e76c490..881eaaf 100644 --- a/hyperkitty-settings.patch +++ b/hyperkitty-settings.patch @@ -1,8 +1,8 @@ -Index: HyperKitty-1.3.3/example_project/settings.py +Index: HyperKitty-1.3.5/example_project/settings.py =================================================================== ---- HyperKitty-1.3.3.orig/example_project/settings.py -+++ HyperKitty-1.3.3/example_project/settings.py -@@ -134,7 +134,7 @@ DATABASES = { +--- HyperKitty-1.3.5.orig/example_project/settings.py 2021-10-12 23:40:25.000000000 +0200 ++++ HyperKitty-1.3.5/example_project/settings.py 2021-11-17 09:36:12.809720361 +0100 +@@ -135,7 +135,7 @@ DATABASES = { # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'. 'ENGINE': 'django.db.backends.sqlite3', # DB name or path to database file if using sqlite3. @@ -11,7 +11,7 @@ Index: HyperKitty-1.3.3/example_project/settings.py # The following settings are not used with sqlite3: 'USER': 'hyperkitty', 'PASSWORD': 'hkpass', -@@ -202,7 +202,7 @@ USE_TZ = True +@@ -203,7 +203,7 @@ USE_TZ = True # Don't put anything in this directory yourself; store your static files # in apps' "static/" subdirectories and in STATICFILES_DIRS. # Example: "/var/www/example.com/static/" @@ -20,7 +20,7 @@ Index: HyperKitty-1.3.3/example_project/settings.py # URL prefix for static files. # Example: "http://example.com/static/", "http://static.example.com/" -@@ -395,7 +395,7 @@ LOGGING = { +@@ -396,7 +396,7 @@ LOGGING = { 'level': 'INFO', #'class': 'logging.handlers.RotatingFileHandler', 'class': 'logging.handlers.WatchedFileHandler', @@ -28,4 +28,4 @@ Index: HyperKitty-1.3.3/example_project/settings.py + 'filename': '/var/log/hyperkitty/hyperkitty.log', 'formatter': 'verbose', }, - }, + 'console': { diff --git a/python-HyperKitty-CVE-2021-33038.patch b/python-HyperKitty-CVE-2021-33038.patch deleted file mode 100644 index 0483ba6..0000000 --- a/python-HyperKitty-CVE-2021-33038.patch +++ /dev/null @@ -1,35 +0,0 @@ -Security --------- - -- Importing a private mailing list with ``hyperkitty_import`` will enforce - the visibility of the archives for the duration of the import. This fixes - a bug where the private archives would have public visibility during imports - which could lead to temporary information leakage. - (CVE-2021-33038, Closes #380) - -diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py -index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644 ---- a/hyperkitty/management/commands/hyperkitty_import.py -+++ b/hyperkitty/management/commands/hyperkitty_import.py -@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list - from hyperkitty.lib.mailman import sync_with_mailman - from hyperkitty.lib.utils import get_message_id - from hyperkitty.management.utils import setup_logging --from hyperkitty.models import Email, Thread -+from hyperkitty.models import Email, MailingList, Thread - - - # Allow all wierd line endings. -@@ -338,6 +338,11 @@ class Command(BaseCommand): - # if (settings.DATABASES["default"]["ENGINE"] - # != "django.db.backends.sqlite3": - # transaction.set_autocommit(False) -+ # Sync list settings with Mailman before importing messages: -+ if not options["no_sync_mailman"]: -+ mlist = MailingList.objects.get_or_create(name=list_address)[0] -+ mlist.update_from_mailman() -+ mlist.save() - settings.HYPERKITTY_BATCH_MODE = True - # Only import emails newer than the latest email in the DB - latest_email_date = Email.objects.filter( - diff --git a/python-HyperKitty.changes b/python-HyperKitty.changes index 2b5cc25..fb00dd5 100644 --- a/python-HyperKitty.changes +++ b/python-HyperKitty.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Dec 17 10:25:31 UTC 2021 - Matej Cepl + +- Add hyperkitty-fix-mistune-2.0-imports.patch ... two function + moved in mistune 2.0 (gl#mailman/hyperkitty#379). + +------------------------------------------------------------------- +Thu Dec 16 15:11:02 UTC 2021 - Sasi Olin + +- Add a patch that fixes compatibility with the full release of mistune 2.0 + +------------------------------------------------------------------- +Wed Nov 17 08:30:52 UTC 2021 - Andreas Schneider + +- Update to version 1.3.5 + * https://gitlab.com/mailman/hyperkitty/-/blob/1.3.5/doc/news.rst +- Fixes CVE-2021-35057 +- Removed obsolete python-HyperKitty-CVE-2021-33038.patch + ------------------------------------------------------------------- Wed Jun 2 18:33:55 UTC 2021 - Andreas Schneider diff --git a/python-HyperKitty.spec b/python-HyperKitty.spec index 09d6872..6d64c00 100644 --- a/python-HyperKitty.spec +++ b/python-HyperKitty.spec @@ -35,7 +35,7 @@ # mailman is built only for primary python3 flavor %define pythons python3 Name: python-HyperKitty -Version: 1.3.4 +Version: 1.3.5 Release: 0 Summary: A web interface to access GNU Mailman v3 archives License: GPL-3.0-only @@ -53,13 +53,17 @@ Source22: hyperkitty-runjob.timer # Source30: README.SUSE.md # +# PATCH-FIX-OPENSUSE hyperkitty-settings.patch mcepl@suse.com +# hard-code locations of configuration files Patch0: hyperkitty-settings.patch -# CVE-2021-33038 [bsc#1186575], information disclosure when importing a private mailing list -Patch1: python-HyperKitty-CVE-2021-33038.patch +# PATCH-FIX-UPSTREAM hyperkitty-fix-mistune-2.0-imports.patch gl#mailman/hyperkitty#379 mcepl@suse.com +# Two elements moved in mistune 2.0 +Patch1: hyperkitty-fix-mistune-2.0-imports.patch # BuildRequires: %{python_module django-debug-toolbar >= 2.2} BuildRequires: %{python_module isort} BuildRequires: %{python_module libsass} +BuildRequires: %{python_module mistune >= 2.0} BuildRequires: %{python_module setuptools} BuildRequires: acl BuildRequires: fdupes @@ -73,12 +77,13 @@ Requires: python-django-debug-toolbar >= 2.2 Requires: python-django-extensions >= 1.3.7 Requires: python-django-gravatar2 >= 1.0.6 Requires: python-django-haystack >= 2.8.0 -Requires: python-django-mailman3 >= 1.2.0 -Requires: python-django-q >= 1.0.0 +Requires: python-django-mailman3 >= 1.3.7 +Requires: python-django-q >= 1.3.9 Requires: python-djangorestframework >= 3.0.0 Requires: python-flufl.lock Requires: python-libsass -Requires: python-mailmanclient >= 3.1.1 +Requires: python-mailmanclient >= 3.3.2 +Requires: python-mistune Requires: python-networkx >= 1.9.1 Requires: python-python-dateutil >= 2.0 Requires: python-pytz >= 2012 @@ -93,12 +98,14 @@ BuildRequires: %{python_module django-compressor >= 1.3} BuildRequires: %{python_module django-extensions >= 1.3.7} BuildRequires: %{python_module django-gravatar2 >= 1.0.6} BuildRequires: %{python_module django-haystack >= 2.8.0} -BuildRequires: %{python_module django-mailman3 >= 1.2.0} -BuildRequires: %{python_module django-q >= 1.0.0} +BuildRequires: %{python_module django-mailman3 >= 1.3.7} +BuildRequires: %{python_module django-q >= 1.3.9} BuildRequires: %{python_module djangorestframework >= 3.0.0} BuildRequires: %{python_module elasticsearch} BuildRequires: %{python_module flufl.lock} -BuildRequires: %{python_module mailmanclient >= 3.1.1} +BuildRequires: %{python_module lxml} +BuildRequires: %{python_module mailmanclient >= 3.3.2} +BuildRequires: %{python_module mistune} BuildRequires: %{python_module mock} BuildRequires: %{python_module networkx >= 1.9.1} BuildRequires: %{python_module pytest-django}