diff options
Diffstat (limited to '')
-rwxr-xr-x | Mailman/Defaults.py.in | 2 | ||||
-rw-r--r-- | Mailman/Utils.py | 6 | ||||
-rwxr-xr-x | NEWS | 10 |
3 files changed, 16 insertions, 2 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 068a7dab..9e9e93af 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -138,7 +138,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # A Python regular expression character class which defines the characters # allowed in list names. Lists cannot be created with names containing any -# character that doesn't match this class. +# character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' # Shall the user's real names be displayed along with their email addresses diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 13c4ed8b..1cd1cdb7 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -100,6 +100,12 @@ def list_exists(listname): # # The former two are for 2.1alpha3 and beyond, while the latter two are # for all earlier versions. + # + # But first ensure the list name doesn't contain a path traversal + # attack. + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: + syslog('mischief', 'Hostile listname: %s', listname) + return False basepath = Site.get_listpath(listname) for ext in ('.pck', '.pck.last', '.db', '.db.last'): dbfile = os.path.join(basepath, 'config' + ext) @@ -5,7 +5,15 @@ Copyright (C) 1998-2015 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. -2.1.20 (xx-xxx-xxxx) +2.1.20 (31-Mar-2015) + + Security + + - A path traversal vulnerability has been discovered and fixed. This + vulnerability is only exploitable by a local user on a Mailman server + where the suggested Exim transport, the Postfix postfix_to_mailman.py + transport or some other programmatic MTA delivery not using aliases + is employed. CVE-2015-2775 (LP: #1437145) New Features |