diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog --- hyperkitty-1.3.4/debian/changelog 2021-04-29 09:55:45.000000000 +0000 +++ hyperkitty-1.3.4/debian/changelog 2021-05-28 09:00:26.000000000 +0000 @@ -1,3 +1,10 @@ +hyperkitty (1.3.4-4) unstable; urgency=high + + * d/p/0005_ensure_private_archives_during_import.patch: Ensure private + archives stay private during import (CVE-2021-33038). (Closes: #989183) + + -- Jonas Meurer Fri, 28 May 2021 11:00:26 +0200 + hyperkitty (1.3.4-3) unstable; urgency=high * d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google diff -Nru hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch --- hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch 1970-01-01 00:00:00.000000000 +0000 +++ hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch 2021-05-28 09:00:26.000000000 +0000 @@ -0,0 +1,47 @@ +From: Kunal Mehta +Date: Thu, 6 May 2021 14:15:03 -0700 +Subject: Ensure private archives stay private during import (CVE-2021-33038) + +hyperkitty keeps state of whether a mailing list's archives should be +public or private in the hyperkitty_mailinglist table. However during +the import process, it would create a row using the default settings +(archive_policy="public") instead of getting the correct values from +Mailman. It would only sync with Mailman at the end of the import +process. + +This patch explicitly creates the hyperkitty_mailinglist row/object at +the beginning of the import process, so the visiblity will be correctly +obtained from Mailman, before any messages can be accidentally leaked. + +Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351 +Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380 +Bug-Debian: http://bugs.debian.org/989183 +--- + hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py +index 7764fa8..f9532e4 100644 +--- a/hyperkitty/management/commands/hyperkitty_import.py ++++ b/hyperkitty/management/commands/hyperkitty_import.py +@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list + from hyperkitty.lib.mailman import sync_with_mailman + from hyperkitty.lib.utils import get_message_id + from hyperkitty.management.utils import setup_logging +-from hyperkitty.models import Email, Thread ++from hyperkitty.models import Email, MailingList, Thread + + + # Allow all wierd line endings. +@@ -319,6 +319,11 @@ class Command(BaseCommand): + # if (settings.DATABASES["default"]["ENGINE"] + # != "django.db.backends.sqlite3": + # transaction.set_autocommit(False) ++ # Sync list settings with Mailman before importing messages: ++ if not options["no_sync_mailman"]: ++ mlist = MailingList.objects.get_or_create(name=list_address)[0] ++ mlist.update_from_mailman() ++ mlist.save() + settings.HYPERKITTY_BATCH_MODE = True + # Only import emails newer than the latest email in the DB + latest_email_date = Email.objects.filter( diff -Nru hyperkitty-1.3.4/debian/patches/series hyperkitty-1.3.4/debian/patches/series --- hyperkitty-1.3.4/debian/patches/series 2021-04-29 09:55:45.000000000 +0000 +++ hyperkitty-1.3.4/debian/patches/series 2021-05-28 09:00:26.000000000 +0000 @@ -2,3 +2,4 @@ 0002_Use_python3_by_default.patch 0003-run-sassc-at-build-time.patch 0004_remove_link_to_google_fonts.patch +0005_ensure_private_archives_during_import.patch