[rpms/python-postorius] rawhide: Backport unreleased fix for CVE-2026-44742

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/python-postorius] rawhide: Backport unreleased fix for CVE-2026-44742
@ 2026-06-17 14:19 Michel Lind
  0 siblings, 0 replies; only message in thread
From: Michel Lind @ 2026-06-17 14:19 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/python-postorius
            Branch : rawhide
            Commit : 8ccd0bb95cab4bdfcdf2da8f1cb309d90bcf3d45
            Author : Michel Lind <salimma@fedoraproject.org>
            Date   : 2026-06-17T15:17:16+01:00
            Stats  : +35/-14 in 6 file(s)
            URL    : https://src.fedoraproject.org/rpms/python-postorius/c/8ccd0bb95cab4bdfcdf2da8f1cb309d90bcf3d45?branch=rawhide

            Log:
            Backport unreleased fix for CVE-2026-44742

- With 1.3.13 we no longer need to exclude example_project

Signed-off-by: Michel Lind <salimma@fedoraproject.org>

---
diff --git a/.gitignore b/.gitignore
index 8baf5d3..288fa54 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /postorius-1.3.6.tar.gz
 /postorius-1.3.8.tar.gz
 /postorius-1.3.12.tar.gz
+/postorius-1.3.13.tar.gz

diff --git a/postorius-dont-ship-examples.diff b/postorius-dont-ship-examples.diff
deleted file mode 100644
index 0413cf1..0000000
--- a/postorius-dont-ship-examples.diff
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -52,7 +52,6 @@ path = "src/postorius/__init__.py"
- 
- [tool.pdm.build]
- includes = [
--    "example_project/",
-     "src/",
- ]
- source-includes = [

diff --git a/postorius-fix-CVE-2026-44742.diff b/postorius-fix-CVE-2026-44742.diff
new file mode 100644
index 0000000..5db347d
--- /dev/null
+++ b/postorius-fix-CVE-2026-44742.diff
@@ -0,0 +1,26 @@
+--- a/src/postorius/doc/news.rst
++++ b/src/postorius/doc/news.rst
+@@ -17,6 +17,12 @@ General Public License for more details.
+ You should have received a copy of the GNU Lesser General Public License
+ along with Postorius. If not, see <http://www.gnu.org/licenses/>.
+ 
++Security
++--------
++* Escape HTML in the message subject when rendering it in the Held messages
++  pop-up. (See !972)
++
++
+ .. _NEWS-1.3.13:
+ 
+ 1.3.13
+--- a/src/postorius/static/postorius/js/held_messages.js
++++ b/src/postorius/static/postorius/js/held_messages.js
+@@ -9,7 +9,7 @@ var loadjs = function(rest_url, error_me
+       url: rest_url + msgid,
+       success: function(data) {
+         $('#message-source-btn').attr('href', rest_url + msgid + '?raw')
+-        $('#message-title').html(data.subject);
++        $('#message-title').text(data.subject);
+         $('.modal-footer form input[name="msgid"]').attr('value', msgid);
+         if (data.msg.body) {
+           $('#held-message-content').text(data.msg.body);

diff --git a/python-postorius.spec b/python-postorius.spec
index c940a3b..741d56e 100644
--- a/python-postorius.spec
+++ b/python-postorius.spec
@@ -3,17 +3,20 @@
 %bcond_with tests
 
 Name:           python-postorius
-Version:        1.3.12
+Version:        1.3.13
 Release:        %autorelease
 Summary:        Web UI for GNU Mailman
 
 License:        GPL-3.0-or-later
 URL:            https://gitlab.com/mailman/postorius
 Source:         %{pypi_source postorius}
-# don't ship examples, they end up in sitelib
-Patch:          postorius-dont-ship-examples.diff
 # allow Django 5.2, for Python 3.14 compatibility
 Patch:          postorius-django52.diff
+# https://nvd.nist.gov/vuln/detail/CVE-2026-44742
+# per https://www.openwall.com/lists/oss-security/2026/05/07/3
+# this fix was committed but never published as a new version
+# backport https://gitlab.com/mailman/postorius/-/merge_requests/972.diff to 1.3.12
+Patch:          postorius-fix-CVE-2026-44742.diff
 
 BuildArch:      noarch
 

diff --git a/series b/series
index ab4222c..cdaf159 100644
--- a/series
+++ b/series
@@ -1,2 +1,3 @@
 postorius-dont-ship-examples.diff
 postorius-django52.diff
+postorius-fix-CVE-2026-44742.diff

diff --git a/sources b/sources
index c9b28cd..22ce003 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (postorius-1.3.12.tar.gz) = 96afb15b0e8bcdae5a4b5000fcb0a8267d891c45fea7f8272faf8a9448a8662e7908d79323a00d1916877026f3987b224551b99ccf363d1ade3e69d732ffe6e4
+SHA512 (postorius-1.3.13.tar.gz) = 088bb578f9d33d38252b9e9cf578d5d2e8920cb67e73b7ae040dc30097d3a294e660f445419a681888820b01c16a940fe375c53a28344bb3e024a614e411a2ac

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-17 14:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-17 14:19 [rpms/python-postorius] rawhide: Backport unreleased fix for CVE-2026-44742 Michel Lind

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox