Security update to 2.1.26 (XSS bug), assorted other fixes.

- Fix checksum failures in Defaults.py[c]:
  No longer patch Defaults.py in postinstall, instead configure
  --with-mailhost=localhost --with-urlhost=localhost, as
  Fedora and Arch Linux do.

- Add a related note to FreeBSD-post-install-notes.

- Add a related safeguard to the rcfile, which will refuse to run
  if the DEFAULT_*_HOSTs are not configured. This can be changed
  with a new mailman_run_localhost="YES" rc.conf setting, which will
  then restrict itself to printing the warnings, but still start mailman.

- Update htdig patch to upstream SVN r1734.

- Bump USES, python:2 -> python:2.7

- Regenerated patches.

Changelog:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1743/NEWS#L8

Release/SecuritY announcement:
https://www.mail-archive.com/mailman-users@python.org/msg70478.html

PR:		225767 (related vuxml entry)
Reported by:	Vladimir Krstulja
MFH:		2018Q1
Security:	CVE-2018-5950
Security:	3d0eeef8-0cf9-11e8-99b0-d017c2987f9a

9 files changed, 60 insertions, 33 deletions

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 5f0e23d4de1f..fcefaa2b7501 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	mailman
-DISTVERSION=	2.1.25
+DISTVERSION=	2.1.26
 PORTREVISION=	0
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
@@ -21,7 +21,7 @@ LICENSE_FILE=	${WRKSRC}/gnu-COPYING-GPL
 
 CONFLICTS=	ja-mailman-2.1.*
 
-USES=		autoreconf cpe fakeroot python:2 shebangfix tar:tgz
+USES=		autoreconf cpe fakeroot python:2.7 shebangfix tar:tgz
 USE_RC_SUBR=	mailman
 SHEBANG_FILES=	bin/msgfmt.py \
 		tests/fblast.py \
@@ -36,8 +36,8 @@ CONFIGURE_ARGS+=--with-python=${PYTHON_CMD} \
 		--with-groupname=${MM_GROUPNAME} \
 		--with-mail-gid=${MAIL_GID} --with-cgi-gid=${CGI_GID} \
 		--with-permcheck=no \
-		--with-mailhost=// \
-		--with-urlhost=//
+		--with-mailhost=localhost \
+		--with-urlhost=localhost
 
 # The Mailman port supports a number of variables that may be tweaked at
 # build time.  Getting the values of some of them right is crucial!
@@ -128,7 +128,7 @@ PKGNAMESUFFIX+=	-with-htdig
 #X unpack this tarball, and the original distfile
 #X diff -NEur original-unpack bazaar-unpack | xz --best -c >msapiro-htdig-1702.patch.xz
 #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory
-_HTDIGREV=	1717
+_HTDIGREV=	1734
 PATCHFILES+=	msapiro-htdig-${_HTDIGREV}.patch.xz
 RUN_DEPENDS+=	htdig:textproc/htdig
 PLIST_SUB+=	SUB_HTDIG=""
diff --git a/mail/mailman/distinfo b/mail/mailman/distinfo
index 9f5f47f2a055..bd519c6eed6c 100644
--- a/mail/mailman/distinfo
+++ b/mail/mailman/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1509135818
-SHA256 (mailman/mailman-2.1.25.tgz) = 83a6dcbdc5356648db0ad03a0d55d4786071c04d4d6e69d5e95e1815975e0169
-SIZE (mailman/mailman-2.1.25.tgz) = 9254776
-SHA256 (mailman/msapiro-htdig-1717.patch.xz) = 9c272ce70507ece4f46b81a443540a2dbd68661d2f5db904e073782765b0e4a0
-SIZE (mailman/msapiro-htdig-1717.patch.xz) = 198620
+TIMESTAMP = 1518121723
+SHA256 (mailman/mailman-2.1.26.tgz) = 240177e1ef561ede88d7b48283c3835f39bbd0b1ae19100d3520cbe43058339f
+SIZE (mailman/mailman-2.1.26.tgz) = 9264592
+SHA256 (mailman/msapiro-htdig-1734.patch.xz) = 1616c8ae2cb393bd60aa463523fe1b7e7f4bae20d29104242388ba1886e0b8c0
+SIZE (mailman/msapiro-htdig-1734.patch.xz) = 50304
diff --git a/mail/mailman/files/FreeBSD-post-install-notes b/mail/mailman/files/FreeBSD-post-install-notes
index d51ac553b1e6..020d833b015a 100644
--- a/mail/mailman/files/FreeBSD-post-install-notes
+++ b/mail/mailman/files/FreeBSD-post-install-notes
@@ -38,6 +38,17 @@ package) can help with that.
    many of the steps you may read about in these files.  Also, not everything
    in these files is necessarily relevant to the FreeBSD port.
 
+   In most cases, you will want to override the host name settings (which
+   default to 'localhost') by adding these lines to Mailman/mm_cfg.py:
+   (the documentation is in Mailman/Defaults.py, but you need to override
+   the defaults in mm_cfg.py instead, changes to Defaults.py are lost on
+   upgrades):
+
+   # adjust and add this to Mailman/mm_cfg.py:
+   DEFAULT_URL_HOST = 'CHANGE_ME.example.org'
+   DEFAULT_EMAIL_HOST = 'CHANGE_ME.example.org'
+   add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
+
 
 2) Integrating Mailman with your web server
 
diff --git a/mail/mailman/files/mailman.in b/mail/mailman/files/mailman.in
index 679a5f4710c1..7105a6b1f227 100644
--- a/mail/mailman/files/mailman.in
+++ b/mail/mailman/files/mailman.in
@@ -15,6 +15,10 @@
 #                               check_perms on start or post-install.
 #                               Default is "YES", but this is unsuitable
 #                               for slow machines with many lists.
+#
+# mailman_run_localhost (bool):	Set to "YES" to enable running mailman
+#                               with unchanged DEFAULT_URL_HOST and
+#                               DEFAULT_EMAIL_HOST. Default is "NO".
 
 . /etc/rc.subr
 
@@ -31,15 +35,27 @@ load_rc_config $name
 : ${mailman_enable:="NO"}
 : ${mailman_fix_perms:="YES"}
 : ${mailman_flags:="-s -q"}
+: ${mailman_run_localhost:="NO"}
 
 start_precmd=${name}_prestart
 extra_commands="reload status"
 
 mailman_prestart() {
+	### check/fix permissions if desired
 	if checkyesno mailman_fix_perms ; then 
 	    check_startmsgs && echo "Fixing ${name} permissions:"
 	    env LC_ALL=C %%MAILMANDIR%%/bin/check_perms -f ${rc_debug:+-v}
 	fi
+
+	### check if the default configuration is plausible
+	vhosts=$(PYTHONPATH="%%MAILMANDIR%%/bin" "%%PYTHON_CMD%%" -c 'import paths;from Mailman import mm_cfg;_x=dict(mm_cfg.VIRTUAL_HOSTS);print repr(_x);')
+	if [ "${vhosts}" = "{'localhost': 'localhost'}" ] ; then
+		warn 'Be sure to change the default hosts in Mailman/mm_cfg.py!'
+		warn 'Review %%DOCSDIR%%/FreeBSD-post-install-notes for instructions.'
+		if ! checkyesno mailman_run_localhost ; then
+			err 78 "Start of mailman refused due to insufficient configuration."
+		fi
+	fi
 }
 
 run_rc_command "$1"
diff --git a/mail/mailman/files/patch-Mailman__Defaults.py.in b/mail/mailman/files/patch-Mailman__Defaults.py.in
index 4cc7974b8e2b..e13fbbece5bc 100644
--- a/mail/mailman/files/patch-Mailman__Defaults.py.in
+++ b/mail/mailman/files/patch-Mailman__Defaults.py.in
@@ -1,15 +1,15 @@
---- Mailman/Defaults.py.in.orig	2008-04-24 09:47:40.000000000 -0300
-+++ Mailman/Defaults.py.in	2008-04-24 09:50:37.000000000 -0300
-@@ -107,7 +107,7 @@
+--- Mailman/Defaults.py.in.orig	2018-02-04 17:04:39 UTC
++++ Mailman/Defaults.py.in
+@@ -148,7 +148,7 @@ GLOBAL_BAN_LIST = []
  # Command that is used to convert text/html parts into plain text.  This
  # should output results to standard output.  %(filename)s will contain the
  # name of the temporary file that the program should operate on.
 -HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'
 +HTML_TO_PLAIN_TEXT_COMMAND = '%%LOCALBASE%%/bin/lynx -dump %(filename)s'
  
- 
- 
-@@ -395,8 +395,8 @@
+ # A Python regular expression character class which defines the characters
+ # allowed in list names.  Lists cannot be created with names containing any
+@@ -538,8 +538,8 @@ VIRTUAL_MAILMAN_LOCAL_DOMAIN = None
  # and virtual-mailman.db files, respectively, from the associated plain text
  # files.  The file being updated will be appended to this string (with a
  # separating space), so it must be appropriate for os.system().
@@ -20,16 +20,16 @@
  
  # Ceiling on the number of recipients that can be specified in a single SMTP
  # transaction.  Set to 0 to submit the entire recipient list in one
-@@ -430,7 +430,7 @@
+@@ -573,7 +573,7 @@ SMTPPORT = 0                            
  
  # Command for direct command pipe delivery to sendmail compatible program,
  # when DELIVERY_MODULE is 'Sendmail'.
 -SENDMAIL_CMD = '/usr/lib/sendmail'
 +SENDMAIL_CMD = '/usr/sbin/sendmail'
  
- # Set these variables if you need to authenticate to your NNTP server for
- # Usenet posting or reading.  If no authentication is necessary, specify None
-@@ -673,6 +673,12 @@
+ # SMTP authentication for DELIVERY_MODULE = 'SMTPDirect'.  To enable SASL
+ # authentication for SMTPDirect, set SMTP_AUTH = Yes and provide appropriate
+@@ -851,6 +851,12 @@ VERP_CONFIRMATIONS = No
  # debugging).
  MAX_AUTORESPONSES_PER_DAY = 10
  
diff --git a/mail/mailman/files/patch-Mailman__htmlformat.py b/mail/mailman/files/patch-Mailman__htmlformat.py
index d7e79cdac047..fef6b4594d14 100644
--- a/mail/mailman/files/patch-Mailman__htmlformat.py
+++ b/mail/mailman/files/patch-Mailman__htmlformat.py
@@ -1,6 +1,6 @@
---- Mailman/htmlformat.py.orig	Sun Apr 21 17:27:02 2002
-+++ Mailman/htmlformat.py	Fri Sep 27 16:17:48 2002
-@@ -600,12 +600,14 @@
+--- Mailman/htmlformat.py.orig	2018-02-04 17:04:39 UTC
++++ Mailman/htmlformat.py
+@@ -646,12 +646,14 @@ class DefinitionList(Container):
  from mm_cfg import MAILMAN_URL
  PYTHON_URL  = 'http://www.python.org/'
  GNU_URL     = 'http://www.gnu.org/'
@@ -15,7 +15,7 @@
  
  
  def MailmanLogo():
-@@ -617,17 +619,17 @@
+@@ -663,17 +665,17 @@ def MailmanLogo():
                   '<br>version %s' % (logo(DELIVERED_BY), mm_cfg.VERSION)
          pylink = '<img src="%s" alt="Python Powered" border=0>' % \
                   logo(PYTHON_POWERED)
diff --git a/mail/mailman/files/patch-misc__mailman.in b/mail/mailman/files/patch-misc__mailman.in
index 728fc537b3f6..b20d7eda710f 100644
--- a/mail/mailman/files/patch-misc__mailman.in
+++ b/mail/mailman/files/patch-misc__mailman.in
@@ -1,6 +1,6 @@
---- misc/mailman.in.orig	Thu Mar  7 08:09:51 2002
-+++ misc/mailman.in	Fri Sep 27 15:56:40 2002
-@@ -39,15 +39,19 @@
+--- misc/mailman.in.orig	2018-02-04 17:04:39 UTC
++++ misc/mailman.in
+@@ -52,16 +52,20 @@ MAILMANCTL=$MAILMANHOME/bin/mailmanctl
  case "$1" in
  'start')
      #rm -f $MAILMANHOME/locks/*
@@ -15,10 +15,11 @@
  
  'restart')
      $PYTHON $MAILMANCTL -q restart
-+    ;;
+     ;;
 +*)
 +    echo "Usage: `basename $0` {start|stop|restart}" >&2
 +    exit 64
-     ;;
++    ;;
  
- esac
+ 'reopen')
+     $PYTHON $MAILMANCTL -q reopen
diff --git a/mail/mailman/files/pkg-install.in b/mail/mailman/files/pkg-install.in
index ce9bbd6474c0..90d4f0584318 100644
--- a/mail/mailman/files/pkg-install.in
+++ b/mail/mailman/files/pkg-install.in
@@ -106,9 +106,6 @@ POST-INSTALL)
     echo "---> rcfile sets mailman_fix_perms to no, skipping check_perms"
   fi
 
-  echo "---> Fixing up default host names (MAILHOST, URLHOST)"
-  sed -Ee "s}^(DEFAULT_(EMAIL|URL)_HOST) = '//'}\1 = '`hostname -f`'}" -i '' "%%MAILMANDIR%%/Mailman/Defaults.py"
-
   echo "---> Running assorted other checks"
   if egrep -q "^[ \t]*MTA.*=.*Postfix" "%%MAILMANDIR%%/Mailman/mm_cfg.py" ; then
       # run Postfix-specific checks
diff --git a/mail/mailman/pkg-plist b/mail/mailman/pkg-plist
index 24c6861ed94b..700f2835058f 100644
--- a/mail/mailman/pkg-plist
+++ b/mail/mailman/pkg-plist
@@ -338,6 +338,7 @@
 %%MMDIR%%/bin/list_lists
 %%MMDIR%%/bin/list_members
 %%MMDIR%%/bin/list_owners
+%%MMDIR%%/bin/mailman-config
 %%MMDIR%%/bin/mailmanctl
 %%MMDIR%%/bin/mmsitepass
 %%MMDIR%%/bin/msgfmt.py
@@ -2161,6 +2162,7 @@
 %%MMDIR%%/tests/bounces/exim_01.txt
 %%MMDIR%%/tests/bounces/groupwise_01.txt
 %%MMDIR%%/tests/bounces/groupwise_02.txt
+%%MMDIR%%/tests/bounces/groupwise_03.txt
 %%MMDIR%%/tests/bounces/hotpop_01.txt
 %%MMDIR%%/tests/bounces/llnl_01.txt
 %%MMDIR%%/tests/bounces/microsoft_01.txt