Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

[Martin <adresse@cachée>]

Bonjour David,

Merci pour la réponse,

Évidemment la question me brûle les doigts : est-ce qu'on a une idée
approximative de la date de sortie de ces packages ?

Le Mon, 23 Apr 2018 09:53:30 +0200,
David Verdin <adresse@cachée> a écrit :

> Bonjour,
> 
> La packager Debian va mettre à jour. Il nous l'a confirmé vendredi
> dernier.
> 
> Bonne journée !
> 
> David
> 
> 
> On 23/04/2018 09:34, Martin wrote:
> > Bonjour,
> >
> > Est-ce qu'une mise à jour dans les dépôts de sécurité de
> > debian/stretch va sortir et si oui, quand ?
> >
> > On est actuellement en 6.2.16~dfsg-3 dans stretch
> > (https://packages.debian.org/stretch/sympa)
> >
> >
> > Le Thu, 19 Apr 2018 22:19:09 +0900,
> > IKEDA Soji <adresse@cachée> a écrit :
> >  
> >> Latest version is found at
> >> <https://sympa-community.github.io/security/2018-001.html>
> >>
> >> 2018-001 Security flaws in template editing
> >> ===========================================
> >>
> >> The Sympa Community
> >> 2018-04-19 (Initial version)
> >>
> >> Synopsis
> >> --------
> >>
> >> A fix is available for a vulnerability discovered in Sympa web
> >> interface.
> >>
> >>
> >> Systems Affected
> >> ----------------
> >>
> >>    - All versions prior to Sympa 6.2.32
> >>
> >>
> >> Problem Description
> >> -------------------
> >>
> >> A vulnerability has been discovered in Sympa web interface that
> >> allows write access to files on the server filesystem.
> >>
> >> This flaw allows to create or modify any file writable by the Sympa
> >> user, located on the server filesystem, using the function of Sympa
> >> web interface template file saving.
> >>
> >>
> >> Impact
> >> ------
> >>
> >> Possibility to create or modify files on the server filesystem.
> >>
> >>
> >> Workarounds
> >> -----------
> >>
> >> Users who can't upgrade to the latest version have the following
> >> workaround solution: Disable access to corresponding function
> >> through the web interface.
> >>
> >>    - Configure HTTP server to deny access to the location under
> >>      `<wwsympa_url>/savefile/`.  For more details consult
> >>      documentation of HTTP server you are using.
> >>
> >>
> >> Solution
> >> --------
> >>
> >>    - Upgrade to version 6.2.32
> >>
> >>        - Source distribution: [sympa-6.2.32.tar.gz]
> >>          
> >> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
> >>        - Binary distributions: Check release information by
> >>          distributors.
> >>
> >> or
> >>
> >>     - Apply a patch
> >>
> >>        - For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]
> >>          
> >> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
> >>        - For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]
> >>          
> >> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>
> >>
> >>        Download appropriate patch file and save it in your server.
> >> Move into the directory where `wwsympa.fcgi` is installed, and
> >> apply patch:
> >>
> >>        # patch -p1 < sympa-6.2.XX-sa-2018-001.patch
> >>
> >>        Then restart web interface.
> >>
> >> Versions prior to 6.2 are no longer maintained. Users of these
> >> versions should upgrade to 6.2.32 to prevent potential attacks.
> >>
> >>
> >> CVE Numbers
> >> -----------
> >>
> >> Pending.
> >>
> >>
> >> References
> >> ----------
> >>
> >>    - [Sympa 6.2.32 announce]
> >>      <https://github.com/sympa-community/sympa/releases/tag/6.2.32>
> >>
> >>
> >> Change log
> >> ----------
> >>
> >>    - 2018-04-19: Initial version published  
> >  
>