Version in base suite: 2.1.29-1

Base version: mailman_2.1.29-1
Target version: mailman_2.1.29-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mailman/mailman_2.1.29-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mailman/mailman_2.1.29-1+deb10u1.dsc

 changelog                      |    7 +++++++
 patches/scrubber-obj2bin.patch |   17 +++++++++++++++++
 patches/series                 |    1 +
 3 files changed, 25 insertions(+)

diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog	2018-09-05 05:03:24.000000000 +0000
+++ mailman-2.1.29/debian/changelog	2020-04-24 14:27:05.000000000 +0000
@@ -1,3 +1,10 @@
+mailman (1:2.1.29-1+deb10u1) buster-security; urgency=high
+
+  * Upload to buster for security issue.
+  * Fix stored cross site scripting in attachment extensions. 
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 Apr 2020 16:27:05 +0200
+
 mailman (1:2.1.29-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mailman-2.1.29/debian/patches/scrubber-obj2bin.patch mailman-2.1.29/debian/patches/scrubber-obj2bin.patch
--- mailman-2.1.29/debian/patches/scrubber-obj2bin.patch	1970-01-01 00:00:00.000000000 +0000
+++ mailman-2.1.29/debian/patches/scrubber-obj2bin.patch	2020-04-24 14:26:59.000000000 +0000
@@ -0,0 +1,17 @@
+Description: Fix stored XSS via browsers that interpret .obj files
+Origin: upstream, http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1801
+Forwarded: not-needed
+
+diff -Nur mailman-2.1.29/Mailman/Handlers/Scrubber.py mailman-2.1.30/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.29/Mailman/Handlers/Scrubber.py	2018-07-24 22:01:28.000000000 +0000
++++ mailman-2.1.30/Mailman/Handlers/Scrubber.py	2020-04-13 17:08:14.000000000 +0000
+@@ -87,6 +87,9 @@
+     all = guess_all_extensions(ctype, strict=False)
+     if ext in all:
+         return ext
++    if ctype.lower == 'application/octet-stream':
++        # For this type, all[0] is '.obj'. '.bin' is better.
++        return '.bin'
+     return all and all[0]
+ 
+ 
diff -Nru mailman-2.1.29/debian/patches/series mailman-2.1.29/debian/patches/series
--- mailman-2.1.29/debian/patches/series	2018-06-23 13:21:41.000000000 +0000
+++ mailman-2.1.29/debian/patches/series	2020-04-24 14:27:02.000000000 +0000
@@ -9,3 +9,4 @@
 66_donot_let_cache_html_pages.patch
 79_archiver_slash.patch
 92_reproducible_build.patch
+scrubber-obj2bin.patch