Accéder au contenu.
Menu Sympa

fr - Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

Objet : Pour les administrateurs de serveurs de listes utilisant le logiciel Sympa

Archives de la liste

Chronologique Discussions  
  • From: Martin <adresse@cachée>
  • To: "adresse@cachée" <adresse@cachée>
  • Subject: Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
  • Date: Mon, 23 Apr 2018 09:34:30 +0200

Bonjour,

Est-ce qu'une mise à jour dans les dépôts de sécurité de debian/stretch
va sortir et si oui, quand ?

On est actuellement en 6.2.16~dfsg-3 dans stretch
(https://packages.debian.org/stretch/sympa)


Le Thu, 19 Apr 2018 22:19:09 +0900,
IKEDA Soji <adresse@cachée> a écrit :

> Latest version is found at
> <https://sympa-community.github.io/security/2018-001.html>
>
> 2018-001 Security flaws in template editing
> ===========================================
>
> The Sympa Community
> 2018-04-19 (Initial version)
>
> Synopsis
> --------
>
> A fix is available for a vulnerability discovered in Sympa web
> interface.
>
>
> Systems Affected
> ----------------
>
> - All versions prior to Sympa 6.2.32
>
>
> Problem Description
> -------------------
>
> A vulnerability has been discovered in Sympa web interface that
> allows write access to files on the server filesystem.
>
> This flaw allows to create or modify any file writable by the Sympa
> user, located on the server filesystem, using the function of Sympa
> web interface template file saving.
>
>
> Impact
> ------
>
> Possibility to create or modify files on the server filesystem.
>
>
> Workarounds
> -----------
>
> Users who can't upgrade to the latest version have the following
> workaround solution: Disable access to corresponding function
> through the web interface.
>
> - Configure HTTP server to deny access to the location under
> `<wwsympa_url>/savefile/`. For more details consult
> documentation of HTTP server you are using.
>
>
> Solution
> --------
>
> - Upgrade to version 6.2.32
>
> - Source distribution: [sympa-6.2.32.tar.gz]
>
> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
> - Binary distributions: Check release information by
> distributors.
>
> or
>
> - Apply a patch
>
> - For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]
>
> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
> - For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]
>
> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>
>
> Download appropriate patch file and save it in your server.
> Move into the directory where `wwsympa.fcgi` is installed, and apply
> patch:
>
> # patch -p1 < sympa-6.2.XX-sa-2018-001.patch
>
> Then restart web interface.
>
> Versions prior to 6.2 are no longer maintained. Users of these
> versions should upgrade to 6.2.32 to prevent potential attacks.
>
>
> CVE Numbers
> -----------
>
> Pending.
>
>
> References
> ----------
>
> - [Sympa 6.2.32 announce]
> <https://github.com/sympa-community/sympa/releases/tag/6.2.32>
>
>
> Change log
> ----------
>
> - 2018-04-19: Initial version published





Archives gérées par MHonArc 2.6.19+.

Haut de le page