Accéder au contenu.
Menu Sympa

fr - Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

Objet : Pour les administrateurs de serveurs de listes utilisant le logiciel Sympa

Archives de la liste

Chronologique Discussions  
  • From: Martin <adresse@cachée>
  • To: David Verdin <adresse@cachée>
  • Cc: adresse@cachée
  • Subject: Re: [sympa-fr] [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
  • Date: Fri, 18 May 2018 11:43:00 +0200

Bonjour David,
Et Merci

Cela dit je suis toujours à l'affût...

Des nouvelles du packager ?

Bonne journée

Le Thu, 3 May 2018 10:42:48 +0200,
David Verdin <adresse@cachée> a écrit :

> Ah ben tiens, la 6.2.32 est en unstable...
>
> Le backport ne devrait pas tarder.
>
> Bonne journée !
>
> David
>
>
> On 02/05/2018 09:37, Martin wrote:
> > Bonjour David,
> >
> > Merci pour la réponse,
> >
> > Évidemment la question me brûle les doigts : est-ce qu'on a une idée
> > approximative de la date de sortie de ces packages ?
> >
> > Le Mon, 23 Apr 2018 09:53:30 +0200,
> > David Verdin <adresse@cachée> a écrit :
> >
> >> Bonjour,
> >>
> >> La packager Debian va mettre à jour. Il nous l'a confirmé vendredi
> >> dernier.
> >>
> >> Bonne journée !
> >>
> >> David
> >>
> >>
> >> On 23/04/2018 09:34, Martin wrote:
> >>> Bonjour,
> >>>
> >>> Est-ce qu'une mise à jour dans les dépôts de sécurité de
> >>> debian/stretch va sortir et si oui, quand ?
> >>>
> >>> On est actuellement en 6.2.16~dfsg-3 dans stretch
> >>> (https://packages.debian.org/stretch/sympa)
> >>>
> >>>
> >>> Le Thu, 19 Apr 2018 22:19:09 +0900,
> >>> IKEDA Soji <adresse@cachée> a écrit :
> >>>
> >>>> Latest version is found at
> >>>> <https://sympa-community.github.io/security/2018-001.html>
> >>>>
> >>>> 2018-001 Security flaws in template editing
> >>>> ===========================================
> >>>>
> >>>> The Sympa Community
> >>>> 2018-04-19 (Initial version)
> >>>>
> >>>> Synopsis
> >>>> --------
> >>>>
> >>>> A fix is available for a vulnerability discovered in Sympa web
> >>>> interface.
> >>>>
> >>>>
> >>>> Systems Affected
> >>>> ----------------
> >>>>
> >>>> - All versions prior to Sympa 6.2.32
> >>>>
> >>>>
> >>>> Problem Description
> >>>> -------------------
> >>>>
> >>>> A vulnerability has been discovered in Sympa web interface that
> >>>> allows write access to files on the server filesystem.
> >>>>
> >>>> This flaw allows to create or modify any file writable by the
> >>>> Sympa user, located on the server filesystem, using the function
> >>>> of Sympa web interface template file saving.
> >>>>
> >>>>
> >>>> Impact
> >>>> ------
> >>>>
> >>>> Possibility to create or modify files on the server filesystem.
> >>>>
> >>>>
> >>>> Workarounds
> >>>> -----------
> >>>>
> >>>> Users who can't upgrade to the latest version have the following
> >>>> workaround solution: Disable access to corresponding function
> >>>> through the web interface.
> >>>>
> >>>> - Configure HTTP server to deny access to the location under
> >>>> `<wwsympa_url>/savefile/`. For more details consult
> >>>> documentation of HTTP server you are using.
> >>>>
> >>>>
> >>>> Solution
> >>>> --------
> >>>>
> >>>> - Upgrade to version 6.2.32
> >>>>
> >>>> - Source distribution: [sympa-6.2.32.tar.gz]
> >>>>
> >>>> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
> >>>> - Binary distributions: Check release information by
> >>>> distributors.
> >>>>
> >>>> or
> >>>>
> >>>> - Apply a patch
> >>>>
> >>>> - For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]
> >>>>
> >>>> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
> >>>> - For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]
> >>>>
> >>>> <https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>
> >>>>
> >>>> Download appropriate patch file and save it in your
> >>>> server. Move into the directory where `wwsympa.fcgi` is
> >>>> installed, and apply patch:
> >>>>
> >>>> # patch -p1 < sympa-6.2.XX-sa-2018-001.patch
> >>>>
> >>>> Then restart web interface.
> >>>>
> >>>> Versions prior to 6.2 are no longer maintained. Users of these
> >>>> versions should upgrade to 6.2.32 to prevent potential attacks.
> >>>>
> >>>>
> >>>> CVE Numbers
> >>>> -----------
> >>>>
> >>>> Pending.
> >>>>
> >>>>
> >>>> References
> >>>> ----------
> >>>>
> >>>> - [Sympa 6.2.32 announce]
> >>>> <https://github.com/sympa-community/sympa/releases/tag/6.2.32>
> >>>>
> >>>>
> >>>> Change log
> >>>> ----------
> >>>>
> >>>> - 2018-04-19: Initial version published
> >>>
>





Archives gérées par MHonArc 2.6.19+.

Haut de le page