Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

[David Verdin <adresse@cachée>]

Bonjour,

La packager Debian va mettre à jour. Il nous l'a confirmé vendredi dernier.

Bonne journée !

David


On 23/04/2018 09:34, Martin wrote:
> Bonjour,
>
> Est-ce qu'une mise à jour dans les dépôts de sécurité de debian/stretch
> va sortir et si oui, quand ?
>
> On est actuellement en 6.2.16~dfsg-3 dans stretch
> (https://packages.debian.org/stretch/sympa)
>
>
> Le Thu, 19 Apr 2018 22:19:09 +0900,
> IKEDA Soji <adresse@cachée> a écrit :
>
> > Latest version is found at
> > <https://sympa-community.github.io/security/2018-001.html>
> >
> > 2018-001 Security flaws in template editing
> > ===========================================
> >
> > The Sympa Community
> > 2018-04-19 (Initial version)
> >
> > Synopsis
> > --------
> >
> > A fix is available for a vulnerability discovered in Sympa web
> > interface.
> >
> >
> > Systems Affected
> > ----------------
> >
> >    - All versions prior to Sympa 6.2.32
> >
> >
> > Problem Description
> > -------------------
> >
> > A vulnerability has been discovered in Sympa web interface that
> > allows write access to files on the server filesystem.
> >
> > This flaw allows to create or modify any file writable by the Sympa
> > user, located on the server filesystem, using the function of Sympa
> > web interface template file saving.
> >
> >
> > Impact
> > ------
> >
> > Possibility to create or modify files on the server filesystem.
> >
> >
> > Workarounds
> > -----------
> >
> > Users who can't upgrade to the latest version have the following
> > workaround solution: Disable access to corresponding function
> > through the web interface.
> >
> >    - Configure HTTP server to deny access to the location under
> >      `<wwsympa_url>/savefile/`.  For more details consult
> >      documentation of HTTP server you are using.
> >
> >
> > Solution
> > --------
> >
> >    - Upgrade to version 6.2.32
> >
> >        - Source distribution: [sympa-6.2.32.tar.gz]
> >          
> > <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
> >        - Binary distributions: Check release information by
> >          distributors.
> >
> > or
> >
> >     - Apply a patch
> >
> >        - For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]
> >          
> > <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
> >        - For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]
> >          
> > <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>
> >
> >        Download appropriate patch file and save it in your server.
> > Move into the directory where `wwsympa.fcgi` is installed, and apply
> >        patch:
> >
> >        # patch -p1 < sympa-6.2.XX-sa-2018-001.patch
> >
> >        Then restart web interface.
> >
> > Versions prior to 6.2 are no longer maintained. Users of these
> > versions should upgrade to 6.2.32 to prevent potential attacks.
> >
> >
> > CVE Numbers
> > -----------
> >
> > Pending.
> >
> >
> > References
> > ----------
> >
> >    - [Sympa 6.2.32 announce]
> >      <https://github.com/sympa-community/sympa/releases/tag/6.2.32>
> >
> >
> > Change log
> > ----------
> >
> >    - 2018-04-19: Initial version published

--
"Mieux vaut viser la perfection et la rater que viser la médiocrité et 
l'atteindre."
- Francis Blanche

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature