Bug#989199: marked as done (unblock: hyperkitty/1.3.4-4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 28 May 2021 22:57:10 +0200
with message-id <YLFZJhLhzbqZE1ge@ramacher.at>
and subject line Re: Bug#989199: unblock: hyperkitty/1.3.4-4
has caused the Debian Bug report #989199,
regarding unblock: hyperkitty/1.3.4-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989199: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989199
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: hyperkitty/1.3.4-4
• From: Jonas Meurer <jonas@freesources.org>
• Date: Fri, 28 May 2021 11:23:44 +0200
• Message-id: <[🔎] E1lmYiY-0008Es-RX@mx3.freesources.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package hyperkitty

[ Reason ]
hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
private archives stay private during import). The patch is really simple and
straight-forward.

I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
days period until it auto-migrates (due to autopkgtests).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock hyperkitty/1.3.4-4

Here's the full changelog for hyperkitty 1.3.4-4:

> hyperkitty (1.3.4-4) unstable; urgency=high
> 
>   * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
>     archives stay private during import (CVE-2021-33038). (Closes: #989183)
> 
>  -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200

Kind regards
 jonas

diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
--- hyperkitty-1.3.4/debian/changelog	2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/changelog	2021-05-28 11:00:26.000000000 +0200
@@ -1,3 +1,10 @@
+hyperkitty (1.3.4-4) unstable; urgency=high
+
+  * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
+    archives stay private during import (CVE-2021-33038). (Closes: #989183)
+
+ -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200
+
 hyperkitty (1.3.4-3) unstable; urgency=high
 
   * d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
diff -Nru hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
--- hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	1970-01-01 01:00:00.000000000 +0100
+++ hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	2021-05-28 11:00:26.000000000 +0200
@@ -0,0 +1,47 @@
+From: Kunal Mehta <legoktm@debian.org>
+Date: Thu, 6 May 2021 14:15:03 -0700
+Subject: Ensure private archives stay private during import (CVE-2021-33038)
+
+hyperkitty keeps state of whether a mailing list's archives should be
+public or private in the hyperkitty_mailinglist table. However during
+the import process, it would create a row using the default settings
+(archive_policy="public") instead of getting the correct values from
+Mailman. It would only sync with Mailman at the end of the import
+process.
+
+This patch explicitly creates the hyperkitty_mailinglist row/object at
+the beginning of the import process, so the visiblity will be correctly
+obtained from Mailman, before any messages can be accidentally leaked.
+
+Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
+Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
+Bug-Debian: http://bugs.debian.org/989183
+---
+ hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
+index 7764fa8..f9532e4 100644
+--- a/hyperkitty/management/commands/hyperkitty_import.py
++++ b/hyperkitty/management/commands/hyperkitty_import.py
+@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
+ from hyperkitty.lib.mailman import sync_with_mailman
+ from hyperkitty.lib.utils import get_message_id
+ from hyperkitty.management.utils import setup_logging
+-from hyperkitty.models import Email, Thread
++from hyperkitty.models import Email, MailingList, Thread
+ 
+ 
+ # Allow all wierd line endings.
+@@ -319,6 +319,11 @@ class Command(BaseCommand):
+         # if (settings.DATABASES["default"]["ENGINE"]
+         #     != "django.db.backends.sqlite3":
+         #     transaction.set_autocommit(False)
++        # Sync list settings with Mailman before importing messages:
++        if not options["no_sync_mailman"]:
++            mlist = MailingList.objects.get_or_create(name=list_address)[0]
++            mlist.update_from_mailman()
++            mlist.save()
+         settings.HYPERKITTY_BATCH_MODE = True
+         # Only import emails newer than the latest email in the DB
+         latest_email_date = Email.objects.filter(
diff -Nru hyperkitty-1.3.4/debian/patches/series hyperkitty-1.3.4/debian/patches/series
--- hyperkitty-1.3.4/debian/patches/series	2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/patches/series	2021-05-28 11:00:26.000000000 +0200
@@ -2,3 +2,4 @@
 0002_Use_python3_by_default.patch
 0003-run-sassc-at-build-time.patch
 0004_remove_link_to_google_fonts.patch
+0005_ensure_private_archives_during_import.patch

--- End Message ---

--- Begin Message ---

• To: Jonas Meurer <jonas@freesources.org>, 989199-done@bugs.debian.org
• Subject: Re: Bug#989199: unblock: hyperkitty/1.3.4-4
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Fri, 28 May 2021 22:57:10 +0200
• Message-id: <YLFZJhLhzbqZE1ge@ramacher.at>
• In-reply-to: <[🔎] E1lmYiY-0008Es-RX@mx3.freesources.org>
• References: <[🔎] E1lmYiY-0008Es-RX@mx3.freesources.org>

On 2021-05-28 11:23:44 +0200, Jonas Meurer wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package hyperkitty
> 
> [ Reason ]
> hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
> private archives stay private during import). The patch is really simple and
> straight-forward.
> 
> I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
> days period until it auto-migrates (due to autopkgtests).

Added a hint to set the required age to 5 days.

Cheers

> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock hyperkitty/1.3.4-4
> 
> Here's the full changelog for hyperkitty 1.3.4-4:
> 
> > hyperkitty (1.3.4-4) unstable; urgency=high
> > 
> >   * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> >     archives stay private during import (CVE-2021-33038). (Closes: #989183)
> > 
> >  -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200
> 
> Kind regards
>  jonas

> diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
> --- hyperkitty-1.3.4/debian/changelog	2021-04-29 11:55:45.000000000 +0200
> +++ hyperkitty-1.3.4/debian/changelog	2021-05-28 11:00:26.000000000 +0200
> @@ -1,3 +1,10 @@
> +hyperkitty (1.3.4-4) unstable; urgency=high
> +
> +  * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> +    archives stay private during import (CVE-2021-33038). (Closes: #989183)
> +
> + -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200
> +
>  hyperkitty (1.3.4-3) unstable; urgency=high
>  
>    * d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
> diff -Nru hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
> --- hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	1970-01-01 01:00:00.000000000 +0100
> +++ hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	2021-05-28 11:00:26.000000000 +0200
> @@ -0,0 +1,47 @@
> +From: Kunal Mehta <legoktm@debian.org>
> +Date: Thu, 6 May 2021 14:15:03 -0700
> +Subject: Ensure private archives stay private during import (CVE-2021-33038)
> +
> +hyperkitty keeps state of whether a mailing list's archives should be
> +public or private in the hyperkitty_mailinglist table. However during
> +the import process, it would create a row using the default settings
> +(archive_policy="public") instead of getting the correct values from
> +Mailman. It would only sync with Mailman at the end of the import
> +process.
> +
> +This patch explicitly creates the hyperkitty_mailinglist row/object at
> +the beginning of the import process, so the visiblity will be correctly
> +obtained from Mailman, before any messages can be accidentally leaked.
> +
> +Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
> +Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
> +Bug-Debian: http://bugs.debian.org/989183
> +---
> + hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
> +index 7764fa8..f9532e4 100644
> +--- a/hyperkitty/management/commands/hyperkitty_import.py
> ++++ b/hyperkitty/management/commands/hyperkitty_import.py
> +@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
> + from hyperkitty.lib.mailman import sync_with_mailman
> + from hyperkitty.lib.utils import get_message_id
> + from hyperkitty.management.utils import setup_logging
> +-from hyperkitty.models import Email, Thread
> ++from hyperkitty.models import Email, MailingList, Thread
> + 
> + 
> + # Allow all wierd line endings.
> +@@ -319,6 +319,11 @@ class Command(BaseCommand):
> +         # if (settings.DATABASES["default"]["ENGINE"]
> +         #     != "django.db.backends.sqlite3":
> +         #     transaction.set_autocommit(False)
> ++        # Sync list settings with Mailman before importing messages:
> ++        if not options["no_sync_mailman"]:
> ++            mlist = MailingList.objects.get_or_create(name=list_address)[0]
> ++            mlist.update_from_mailman()
> ++            mlist.save()
> +         settings.HYPERKITTY_BATCH_MODE = True
> +         # Only import emails newer than the latest email in the DB
> +         latest_email_date = Email.objects.filter(
> diff -Nru hyperkitty-1.3.4/debian/patches/series hyperkitty-1.3.4/debian/patches/series
> --- hyperkitty-1.3.4/debian/patches/series	2021-04-29 11:55:45.000000000 +0200
> +++ hyperkitty-1.3.4/debian/patches/series	2021-05-28 11:00:26.000000000 +0200
> @@ -2,3 +2,4 @@
>  0002_Use_python3_by_default.patch
>  0003-run-sassc-at-build-time.patch
>  0004_remove_link_to_google_fonts.patch
> +0005_ensure_private_archives_during_import.patch


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

--- End Message ---