22:27 Matthias Andree (mandree) 

mail/mailman: regression fix update to 2.1.39

Mark Sapiro announced Mailman 2.1.39 "[...] fixes
https://bugs.launchpad.net/mailman/+bug/1954694
[...]
The fix for CVE-2021-42097 was case sensitive and should not be.
The fix for CVE-2021-44227 introduced a potential NameError in logging.

This could cause a user's changes to the option's page to not be
accepted and perhaps cause a 'We hit a bug' response if the user visited
the page with a mixed- or upper-case email address."

URL:		https://bugs.launchpad.net/mailman/+bug/1954694
MFH:		2021Q4

    9449a10

19:09 Matthias Andree (mandree) 

mail/mailman: 2.1.38 security fixing CSRF vuln

While here, fix pkg-message to mention -exim4 and -postfix
derived ports that override the default MTA.

Security:	0d6efbe3-52d9-11ec-9472-e3667ed6088e
Security:	CVE-2021-44227
MFH:		2021Q4

    87f0f37

10:27 Matthias Andree (mandree) 

mail/mailman: security update to 2.1.37

- A potential XSS attack via the user options page has been reported by
  Harsh Jaiswal.  This is fixed.  CVE-2021-43331 (LP: #1949401)

LP: A crafted URL to the user options page can execute arbitrary
    javascript.

- A potential for for a list moderator to carry out an off-line brute force
  attack to obtain the list admin password has been reported by Andre
  Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
  CVE-2021-43332 (LP: #1949403)

LP: The CSRF token for the admindb page contains an encrypted version of
    the list admin password which could potentially be cracked by a
    moderator via an off-line brute force attack.

MFH:		2021Q4
Security:       9d7a2b54-4468-11ec-8532-0d24c37c72c8
Security:       CVE-2021-43331
Security:       CVE-2021-43332

    f05ee16

18:01 Matthias Andree (mandree) 

mail/mailman: security/bugfix update to 2.1.35

Changelog:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1873/NEWS#L8

Security:       CVE-2021-42096
Security:       CVE-2021-42097
Security:       8d65aa3b-31ce-11ec-8c32-a14e8e520dc7
MFH:		2021Q4

    2f936c7

10:04 mandree 

mail/mailman: update to 2.1.34 (bugfixes)

Changelog:
http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1859/NEWS#L8

(Note the ValueError fix was already in FreeBSD's 2.1.33_1 and
- on quarterly - the 2.1.30_5 port/package versions.)

Follow POLA:
No MFH requested, as 2020Q2 and head/ have diverged too far,
so let 2020Q3 pick up the change instead.

 

20:04 mandree 

mail/mailman: security update to 2.1.33

Fixing another content injection vulnerability,
this time via private archive login if the list's roster visibility
(private_roster) setting is 'Anyone'.

https://bugs.launchpad.net/mailman/+bug/1877379
https://launchpadlibrarian.net/478684932/private.diff
https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/

Security:       88760f4d-8ef7-11ea-a66d-4b2ef158be83

 

22:56 mandree 

mail/mailman: update to 2.1.32

- fixes the i18n issues in 2.1.31
  - drop local patch for Spanish Castilian mailman.po file
  - drop local REINPLACE_CMD for translations of the security fixed code

- uses a patch from the upstream merged rev 1814 of the htdig branch

 

18:00 mandree 

mail/mailman: security update to 2.1.31

Over the upstream 2.1.31, additional fixes were needed:
+ fix up quoting in one string of the messages/es/ translation
  to unbreak gettext
+ fix up all */LC_MESSAGES/mailman.po to match up with the security fix.

Upstream Changelog for 2.1.31, cited from
<https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1845/NEWS#L8>:
Security
    - A content injection vulnerability via the options login page has been
      discovered and reported by Vishal Singh. This is fixed.  (LP: #1873722)
i18n
    - The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
    - Bounce recognition for a non-compliant Yahoo format is added.
    - Archiving workaround for non-ascii in string.lowercase in some Python
      packages is added.

MFH:		2020Q2
Security:	88760f4d-8ef7-11ea-a66d-4b2ef158be83

 

20:46 mandree 

mail/mailman: update to 2.1.30 - bug fix (incl. data loss)

* upstream changelog:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L6

Note that upstream means 2.1.30 to be the final 2.x release,
because it relies on Python 2.x which is EOL upstream.

! MAJOR DATA LOSS FIX, rename all templates/* files to .sample,
! and list them as a @sample in pkg-plist, because they can be edited
! through the web server, and an upgrade should not stomp over edited files.

* rearrange makefile a bit (portlint, portfmt)
* update and upload new htdig patch
* expose NLS port option to pkg-install script to avoid failure
* patch upstream bin/check_perms script to not complain about tightened-
  up messages/ and mailmanprefix (${PREFIX}/mailman) permissions that we
  set to 0755 instead of 02775. Mailman should not need to write outside
  designated directories or create new top-level directories in its install.
* fix a typo in the German (mailman.po) translation
* tweak pkg-install to:
  - leave ${PREFIX}/mailman permissions alone and not set them to 02775
  - fix up non-moved .sample files if pkg-install is run with -I
  - create a copy of mm_cfg.py from mm_cfg.py.dist if missing (-I)
  - create a newsyslog.conf.d/mailman.conf if missing, from
    examples/mailman.newsyslog.sample if installed (-I)
  - not attempt to fix messages/ (translations) permissions if the NLS
    port option is disabled
* tweak pkg-plist so that the proper permissions and groups are set
  by default already
* clean up pkg-message, thanks to bapt@ for pointing out that a missing
  type: means "install or upgrade".

MFH:		2020Q2 (@samples is an important fix against data loss on update)

 

09:59 mandree 

Security upgrade Mailman to 2.1.29

Changelog:
<https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8>

Release announcements:
2.1.28:
<https://mail.python.org/pipermail/mailman-announce/2018-July/000241.html>
2.1.29: (a regression fix release over 2.1.28)
<https://mail.python.org/pipermail/mailman-announce/2018-July/000242.html>

MFH:		2018Q3
Security:	b4f0ad36-94a5-11e8-9007-080027ac955c
Security:	CVE-2018-13796
Security:	https://bugs.launchpad.net/mailman/+bug/1780874

 

21:58 mandree 

Security upgrade mail/mailman to v2.1.27

Changelog:
<https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8>

Release announcement:
<https://www.mail-archive.com/mailman-users@python.org/msg70962.html>

Reported by:	portscout@ (release)
MFH:		2018Q2
Security:	739948e3-78bf-11e8-b23c-080027ac955c
Security:	CVE-2018-0618
Security:	JVN#00846677
Security:	JPCERT#97432283

 

22:32 mandree 

Security update to 2.1.26 (XSS bug), assorted other fixes.

- Fix checksum failures in Defaults.py[c]:
  No longer patch Defaults.py in postinstall, instead configure
  --with-mailhost=localhost --with-urlhost=localhost, as
  Fedora and Arch Linux do.

- Add a related note to FreeBSD-post-install-notes.

- Add a related safeguard to the rcfile, which will refuse to run
  if the DEFAULT_*_HOSTs are not configured. This can be changed
  with a new mailman_run_localhost="YES" rc.conf setting, which will
  then restrict itself to printing the warnings, but still start mailman.

- Update htdig patch to upstream SVN r1734.

- Bump USES, python:2 -> python:2.7

- Regenerated patches.

Changelog:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1743/NEWS#L8

Release/SecuritY announcement:
https://www.mail-archive.com/mailman-users@python.org/msg70478.html

PR:		225767 (related vuxml entry)
Reported by:	Vladimir Krstulja
MFH:		2018Q1
Security:	CVE-2018-5950
Security:	3d0eeef8-0cf9-11e8-99b0-d017c2987f9a

 

21:04 mandree 

Update to new upstream release 2.1.25.

This is a routine bug fix release with a minor new feature and some
accessibility improvements for screen readers.

Changelog:
<http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1726/NEWS#L6>

 

14:24 mandree 

Update to new upstream version 2.1.24.

Upstream release notes:
"This release is primarily a bug fix release with a few minor feature additions
and a fix for a probably non-exploitable security issue. See the changelog for
details."

Changelog:
<https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1708/NEWS>

 

19:27 mandree 

Security update to upstream release 2.1.23.

ChangeLog:
<http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1668/NEWS#L8>

MFH:		2016Q3
Security:	b11ab01b-6e19-11e6-ab24-080027ef73ec
Security:	CVE-2016-6893

 

23:14 mandree 

Update to new upstream release 2.1.22.

Changelog:
http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1643/NEWS#L8

 

08:34 mandree 

Preserve some kinds of signatures, reenable HTDIG option.

Pull upstream change 1629 to fix Launchpad Bug #1551075
<https://bugs.launchpad.net/mailman/+bug/1551075>. This fix improves
preservation of OpenPGP MIME multipart signatures, by not collapsing
a multipart with a single sub-part inside multipart/signed parts.
See the Launchpad bug report for details.

EXPERIMENTAL feature: Reenable HTDIG support by rolling the patch on our
own, and laying down instructions to do so in the Makefile.  Mark Sapiro
no longer maintains the patch.

Bump PORTREVISION to 3.

Note that the upstream maintainer considers another release in a few
weeks' time, and called for help with updating translations.  If you
want to help, see
<http://www.mail-archive.com/mailman-users%40python.org/msg68036.html>

 

23:33 mandree 

Upgrade to new release 2.1.21. Disable HTDIG option.

Disable experimental HTDIG integration option,
the relevant ht://Dig patch no longer fits.

Changelog: https://launchpad.net/mailman/2.1/2.1.21

 

20:08 mandree 

Update to new upstream release 2.1.20.

Fixes one security bug [1], a few other bugs, and adds a feature so that
list admins can edit list addresses.

Uses newer Mailman-and-HTDig integration patches. [2]

Security:	CVE-2015-2775 [1]
Security:	a5f160fa-deee-11e4-99f8-080027ef73ec [1]
PR:		199286 [2]
Submitted by:	David Sieborger [2]

 

07:26 mandree 

Update to new upstream release 2.1.19.

Changes:
https://mail.python.org/pipermail/mailman-announce/2015-March/000205.html

 

21:18 mandree 

Reinstate checksums for optional patches[1], fixing regression from c334818.
Update USE_PYTHON -> USES=python:2.

PR:		193682 [1]
Submitted by:	David Sieborger [1]

 

23:21 mandree 

Upgrade to new upstream bugfix release 2.1.18-1.
Changes: https://mail.python.org/pipermail/mailman-announce/2014-May/000195.html

 

20:44 mandree 

Update to new upstream version 2.1.18.

Bugfixes, DMARC policy support.
New dependency on py-dnspython.

Upstream change log:
https://mail.python.org/pipermail/mailman-announce/2014-May/000193.html

 

07:56 mandree 

- Update to new upstream release 2.1.17, resetting PORTREVISION.

- Remove patch-Makefile.in, which has been integrated by upstream.

- Announcement:
<https://mail.python.org/pipermail/mailman-announce/2013-November/000186.html>

- Poudriere 3.0.13 ticket filed about misreported orphans in testport:
<https://fossil.etoilebsd.net/poudriere/tktview/e8d957a27f8ce8b6255ed655d031e6d05b02492c>

 

16:42 mandree 

Upgrade to new upstream release 2.1.16, release notes:
https://launchpad.net/mailman/2.1/2.1.16/

Support stage directory. (Requires Python 2.7, 2.6 is no longer
sufficient.) This requires us to compile the Python scripts ourselves to
avoid spilling the stagedir name all over the .pyc files, as Mailman's
build would do (causing complaints from make stage-qa).
While there, compile bin/*.py programs, too.

The post-install section of the Makefile is more verbose now.

Run Mailman's bin/update after install.

Fixes to handling the mailman_last_version file to avoid leftover dirs
from an unused Mailman installation and deinstallation.

Scripts are more robust now, and use mktemp -d for temporary directories.

 

22:58 mandree 

Note that I could not fully test all integrations yet.  If integrations are
failing, please add detailed information how you set up your MTA, and
Mailman, what user/group IDs are, how list aliases are managed, and
thereabouts.

- Update to 2.1.15. [2] Changes: click View the full Changelog on
  https://launchpad.net/mailman/2.1/2.1.15
- Fix without-NLS install: Install at least English template. [1]
- Drop EXIM3 option, we don't have an Exim 3 port any more.
- Drop INTEGRATION option, which would at best be confusing.
- Reformat COMMENT to fit into common limits.
- Fix typo in COURIER_DESC.
- When Postfix integration is chosen, add BUILD and RUN_DEPENDS on
  Postfix because we need the postconf program.
- Use htdig patches for Mailman version 2.1.12 and remove BROKEN tag,
  in an experimental attempt to revive htdig support.
- Fix a few minor glitches in FreeBSD-post-install-notes.
- Drop files/patch-Mailman__Cgi__confirm.py, integrated in upstream tarball.
- Add launchpad.net to MASTER_SITES.
- Update files/postfix-verp.diff.
- Install a dummy one-line text file into PYTHON_SITELIBDIR so that
  Python's upgrade-site-packages would reinstall Mailman. [1]
- Add "status" support for rc.d script. [3]
- Change pre-fetch: to pre-everything::
- Revise formatting of pre-everything text to make clear it displays
  default values, not current values. To avoid ports/170280.

PR:		ports/135503 [1]
PR:		ports/170280 [2]
PR:		ports/170285 [2]
PR:		ports/176180 [1]
PR:		ports/181298 [3]
Submitted by:	Lowell Gilbert [1]
Submitted by:	Stefan Lasiewski [2]
Submitted by:	Oliver Fromme [3]

 

14:35 wxs 

Add a patch to fix the XSS vulnerabilities.

PR:             ports/155355
Submitted by:   Hilko Meyer <hilko.meer@gmx.de>
Obtained from: 
http://mail.python.org/pipermail/mailman-announce/attachments/20110218/15500b22/attachment.txt
Security:       64691c49-4b22-11e0-a226-00e0815b8da8

00:40 wxs 

Update to 2.1.14 - note that the HTDIG option is currently broken until
a new patch is released.

16:12 jmelo 

- Add indexing and htdig patches.

07:07 miwi 

- Update to 2.1.12

Changelog:
        Mailman 2.1.12 is a minor bug fix and Python 2.6 compatibility release.

        The minimum Python for this release is Python 2.4 and it is compatible
        with Python through 2.6. The previous Mailman releases are not
        compatible with Python 2.6.

PR:             134442
Submitted by:   miwi
Approved by:    maintainer timeout

23:22 jmelo 

- Update to 2.1.11.

PR:             ports/126109
Submitted by:   Yarema <yds@CoolRat.org>

13:17 jmelo 

- Update htdig patch to 2.1.10.

PR:             ports/123802
Submitted by:   Martin Matuska <mm@FreeBSD.org>

14:05 jmelo 

- Update to 2.1.10.

13:45 mm 

- Add patch with Slovak translation (OPTIONAL)
- Bump PORTREVISION

PR:             ports/114828
Submitted by:   mm
Approved by:    jmelo (maintainer, private e-mail)

15:25 jmelo 

- Unbreak htdig option.

PR:             ports/107688
Submitted by:   Boris Samorodov <bsam@freebsd.org>

21:35 jmelo 

- Update to 2.1.9.

14:12 jmelo 

- Update to 2.1.9rc1 to fix security problems.

Security:      
http://www.vuxml.org/freebsd/fffa9257-3c17-11db-86ab-00123ffe8333.html

01:51 mnag 

- Update to 2.1.8
- portlint(1)

Security:      
http://www.vuxml.org/freebsd/8be2e304-cce6-11da-a3b1-00123ffe8333.html

20:22 edwin 

Update to 2.1.7

09:19 vs 

- Update HT/DIG integration with Mailman for those that need it. No need to
  bump portrevision since it affects nobody who already is running mailman.
    Patches submitted by Brad Kollmyer <bradk AT vitalsoft.com> and
  Frank Wancho <fwancho AT WHC.NET>
- Drop maintainership
- Add SHA256 sums (me)
- Pet portlint (rmdir -> ${RMDIR}) (me)

PR:             ports/90407
Submitted by:   maintainer

00:56 pav 

- Update to 2.1.6

PR:             ports/81814
Submitted by:   Vivek Khera <vivek@khera.org> (maintainer)

16:21 nork 

Update to 2.1.5.

PR:             ports/67002
Submitted by:   Vivek Khera <vivek@khera.org> (maintainer)
Reviewed by:    Sunagawa Koji <koj@ofug.net>
Committed at:   10th EBUG Meeting in Tokamachi City, Niigata, Japan

03:12 trevor 

SIZEify (maintainer timeout)

05:31 petef 

Update to 2.1.4.

PR:             61083
Submitted by:   maintainer

05:44 sergei 

- Update htdig patch to 0.5
- Bump PORTREVISION

PR:             60513
Submitted by:   Nils Vogels <nivo@yuckfou.org>
Approved by:    maintainer

23:50 sergei 

- Add WITH_HTDIG knob to enable htdig integration
- Start using DIST_SUBDIR because of the funkyness of the patch names
- Tweak pkg-plist (duplicate @dirrm/@unexec rmdir, use DOCSDIR, etc.)
- Do not bump PORTREVISION: The default built binaries are unchanged

PR:             57877
Submitted by:   Scott Lambert <lambert@lambertfam.org>
Approved by:    maintainer

19:02 krion 

- Update to version 2.1.3
- Correct notes on FreeBSD Postfix integration

PR:             57364
Submitted by:   Vivek Khera <vivek@lorax.kciLink.com> (maintainer)

19:30 nork 

o Update to 2.1.2.
o Take MAINTAINERship to submitter.

PR:             ports/55160
Submitted by:   Vivek Khera <khera@kcilink.com>
Approved by:    maintainer timeout (a long time)

08:10 wjv 

- Update to version 2.2.1, which includes a fix to a cross-site scripting
  vulnerability.
- Add a file, installed to $DOCSDIR, with more explicit post-installation
  instructions.
- Update $PKGMESSAGE to point to this new file.
- Add more explicit warnings in various places that MAIL_GID *must* be set at
  build time if Mailman is to be used with an alternate (non-Sendmail) MTA.
- Bring port in line with other similar ports by NOT explicitly depending on
  Apache.  This is both more maintainable and allows the user greater scope
  in setting up a custom configuration, including the use of an alternative
  web server.  (Also, Mailman _can_ be used without a web server.)
- Clean up which documentation files get installed to $DOCSDIR.

12:58 wjv 

- Update to the long-anticipated version 2.1

15:31 wjv 

- Overdue update to version 2.0.13, a minor bugfix release
- Refrain from invoking ${PERL}
- Call Mailman's distributed check_perms script post-installation to fix file
  permissions instead of doing so manually.  This is more modular and will
  greatly ease maintenance of the port.  It implies a level of trust in
  check_perms... but then, installing and running any 3rd party software
  implies a level of trust.

14:29 wjv 

- Update to version 2.0.12
- Update $PKGDEINSTALL so that running Python processes beloning to mailman
  user should be killed correctly upon port/package deinstallation, even when
  the version of Python had been updated since the port/package was
  installed.
- Fix a small oversight in $PLIST to allow clean package installations (i.e.
  where there is not an existing mailman user) to set file permissions
  correctly.

14:19 wjv 

- Update to version 2.0.11 (important security fix)

PR:             38652
Submitted by:   Brandon D. Valentine <bugs@geekpunk.net>

15:29 wjv 

- Update to version 2.0.10

13:37 wjv 

- Update to version 2.0.9
- Correctly kill running Mailman processes in $PKGDEINSTALL

07:45 wjv 

- Interim update to version 2.0.8 (which contains important security fixes),    
maintaining most of the port's existing structure.  A more comprehensive    
restructuring of this port is in the works.   - Assume maintainership, pending
any objections from -ports.    

12:59 demon 

Update to 2.0.5    

12:59 demon 

Allow to override cgi-gid.    

11:19 demon 

Update to 2.0.3.   Add more MASTER_SITEs.    

09:47 demon 

Update to version 2.0.2.    

10:04 demon 

Update to version 2.0.1.   Install additional docs.   Utilize USE_PYTHON.    

20:36 demon 

Update to version 2.0.    

15:06 demon 

Update to 2.0rc3.   Set myself as MAINTAINER.    

00:54 jedgar 

- Update port to 2.0b6   - Allow mailman user/uid/install dir to be overridden  
- Add WWW