Accéder au contenu.
Menu Sympa

fr - Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

Objet : Pour les administrateurs de serveurs de listes utilisant le logiciel Sympa

Archives de la liste

Chronologique Discussions  
  • From: David Verdin <adresse@cachée>
  • To: Martin <adresse@cachée>, adresse@cachée
  • Subject: Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
  • Date: Mon, 23 Apr 2018 09:53:30 +0200

Bonjour,

La packager Debian va mettre à jour. Il nous l'a confirmé vendredi dernier.

Bonne journée !

David


On 23/04/2018 09:34, Martin wrote:
Bonjour,

Est-ce qu'une mise à jour dans les dépôts de sécurité de debian/stretch
va sortir et si oui, quand ?

On est actuellement en 6.2.16~dfsg-3 dans stretch
(https://packages.debian.org/stretch/sympa)


Le Thu, 19 Apr 2018 22:19:09 +0900,
IKEDA Soji <adresse@cachée> a écrit :

Latest version is found at
<https://sympa-community.github.io/security/2018-001.html>

2018-001 Security flaws in template editing
===========================================

The Sympa Community
2018-04-19 (Initial version)

Synopsis
--------

A fix is available for a vulnerability discovered in Sympa web
interface.


Systems Affected
----------------

- All versions prior to Sympa 6.2.32


Problem Description
-------------------

A vulnerability has been discovered in Sympa web interface that
allows write access to files on the server filesystem.

This flaw allows to create or modify any file writable by the Sympa
user, located on the server filesystem, using the function of Sympa
web interface template file saving.


Impact
------

Possibility to create or modify files on the server filesystem.


Workarounds
-----------

Users who can't upgrade to the latest version have the following
workaround solution: Disable access to corresponding function
through the web interface.

- Configure HTTP server to deny access to the location under
`<wwsympa_url>/savefile/`. For more details consult
documentation of HTTP server you are using.


Solution
--------

- Upgrade to version 6.2.32

- Source distribution: [sympa-6.2.32.tar.gz]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
- Binary distributions: Check release information by
distributors.

or

- Apply a patch

- For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
- For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>

Download appropriate patch file and save it in your server.
Move into the directory where `wwsympa.fcgi` is installed, and apply
patch:

# patch -p1 < sympa-6.2.XX-sa-2018-001.patch

Then restart web interface.

Versions prior to 6.2 are no longer maintained. Users of these
versions should upgrade to 6.2.32 to prevent potential attacks.


CVE Numbers
-----------

Pending.


References
----------

- [Sympa 6.2.32 announce]
<https://github.com/sympa-community/sympa/releases/tag/6.2.32>


Change log
----------

- 2018-04-19: Initial version published


--
"Mieux vaut viser la perfection et la rater que viser la médiocrité et
l'atteindre."
- Francis Blanche


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archives gérées par MHonArc 2.6.19+.

Haut de le page