Objet : Pour les administrateurs de serveurs de listes utilisant le logiciel Sympa
Archives de la liste
Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
- From: David Verdin <adresse@cachée>
- To: Martin <adresse@cachée>
- Cc: adresse@cachée
- Subject: Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
- Date: Thu, 3 May 2018 10:42:48 +0200
Ah ben tiens, la 6.2.32 est en unstable...
Le backport ne devrait pas tarder.
Bonne journée !
David
On 02/05/2018 09:37, Martin wrote:
Bonjour David,
Merci pour la réponse,
Évidemment la question me brûle les doigts : est-ce qu'on a une idée
approximative de la date de sortie de ces packages ?
Le Mon, 23 Apr 2018 09:53:30 +0200,
David Verdin <adresse@cachée> a écrit :
Bonjour,
La packager Debian va mettre à jour. Il nous l'a confirmé vendredi
dernier.
Bonne journée !
David
On 23/04/2018 09:34, Martin wrote:
Bonjour,
Est-ce qu'une mise à jour dans les dépôts de sécurité de
debian/stretch va sortir et si oui, quand ?
On est actuellement en 6.2.16~dfsg-3 dans stretch
(https://packages.debian.org/stretch/sympa)
Le Thu, 19 Apr 2018 22:19:09 +0900,
IKEDA Soji <adresse@cachée> a écrit :
Latest version is found at
<https://sympa-community.github.io/security/2018-001.html>
2018-001 Security flaws in template editing
===========================================
The Sympa Community
2018-04-19 (Initial version)
Synopsis
--------
A fix is available for a vulnerability discovered in Sympa web
interface.
Systems Affected
----------------
- All versions prior to Sympa 6.2.32
Problem Description
-------------------
A vulnerability has been discovered in Sympa web interface that
allows write access to files on the server filesystem.
This flaw allows to create or modify any file writable by the Sympa
user, located on the server filesystem, using the function of Sympa
web interface template file saving.
Impact
------
Possibility to create or modify files on the server filesystem.
Workarounds
-----------
Users who can't upgrade to the latest version have the following
workaround solution: Disable access to corresponding function
through the web interface.
- Configure HTTP server to deny access to the location under
`<wwsympa_url>/savefile/`. For more details consult
documentation of HTTP server you are using.
Solution
--------
- Upgrade to version 6.2.32
- Source distribution: [sympa-6.2.32.tar.gz]
<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
- Binary distributions: Check release information by
distributors.
or
- Apply a patch
- For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]
<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
- For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]
<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>
Download appropriate patch file and save it in your server.
Move into the directory where `wwsympa.fcgi` is installed, and
apply patch:
# patch -p1 < sympa-6.2.XX-sa-2018-001.patch
Then restart web interface.
Versions prior to 6.2 are no longer maintained. Users of these
versions should upgrade to 6.2.32 to prevent potential attacks.
CVE Numbers
-----------
Pending.
References
----------
- [Sympa 6.2.32 announce]
<https://github.com/sympa-community/sympa/releases/tag/6.2.32>
Change log
----------
- 2018-04-19: Initial version published
--
"Mieux vaut viser la perfection et la rater que viser la médiocrité et
l'atteindre."
- Francis Blanche
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-
Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing,
Martin, 02/05/2018
- Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing, David Verdin, 03/05/2018
Archives gérées par MHonArc 2.6.19+.