Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-HyperKitty for
openSUSE:Factory checked in at 2021-06-02 22:12:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-HyperKitty (Old)
and /work/SRC/openSUSE:Factory/.python-HyperKitty.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-HyperKitty"
Wed Jun 2 22:12:26 2021 rev:11 rq:896957 version:1.3.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-HyperKitty/python-HyperKitty.changes
2021-06-01 10:38:22.152905745 +0200
+++
/work/SRC/openSUSE:Factory/.python-HyperKitty.new.1898/python-HyperKitty.changes
2021-06-02 22:12:52.224059607 +0200
@@ -1,0 +2,8 @@
+Wed Jun 2 12:25:48 UTC 2021 - pgaj...@suse.com
+
+- security update
+- added patches
+ fix CVE-2021-33038 [bsc#1186575], information disclosure when importing a
private mailing list
+ + python-HyperKitty-CVE-2021-33038.patch
+
+-------------------------------------------------------------------
New:
----
python-HyperKitty-CVE-2021-33038.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-HyperKitty.spec ++++++
--- /var/tmp/diff_new_pack.su6xMX/_old 2021-06-02 22:12:52.756058292 +0200
+++ /var/tmp/diff_new_pack.su6xMX/_new 2021-06-02 22:12:52.760058281 +0200
@@ -54,6 +54,8 @@
Source30: README.SUSE.md
#
Patch0: hyperkitty-settings.patch
+# CVE-2021-33038 [bsc#1186575], information disclosure when importing a
private mailing list
+Patch1: python-HyperKitty-CVE-2021-33038.patch
#
BuildRequires: %{python_module django-debug-toolbar >= 2.2}
BuildRequires: %{python_module isort}
++++++ python-HyperKitty-CVE-2021-33038.patch ++++++
Security
--------
- Importing a private mailing list with ``hyperkitty_import`` will enforce
the visibility of the archives for the duration of the import. This fixes
a bug where the private archives would have public visibility during imports
which could lead to temporary information leakage.
(CVE-2021-33038, Closes #380)
diff --git a/hyperkitty/management/commands/hyperkitty_import.py
b/hyperkitty/management/commands/hyperkitty_import.py
index
a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca
100644
--- a/hyperkitty/management/commands/hyperkitty_import.py
+++ b/hyperkitty/management/commands/hyperkitty_import.py
@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage,
add_to_list
from hyperkitty.lib.mailman import sync_with_mailman
from hyperkitty.lib.utils import get_message_id
from hyperkitty.management.utils import setup_logging
-from hyperkitty.models import Email, Thread
+from hyperkitty.models import Email, MailingList, Thread
# Allow all wierd line endings.
@@ -338,6 +338,11 @@ class Command(BaseCommand):
# if (settings.DATABASES["default"]["ENGINE"]
# != "django.db.backends.sqlite3":
# transaction.set_autocommit(False)
+ # Sync list settings with Mailman before importing messages:
+ if not options["no_sync_mailman"]:
+ mlist = MailingList.objects.get_or_create(name=list_address)[0]
+ mlist.update_from_mailman()
+ mlist.save()
settings.HYPERKITTY_BATCH_MODE = True
# Only import emails newer than the latest email in the DB
latest_email_date = Email.objects.filter(
