Upstream has issued an advisory on January 15: https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting A CVE has been requested: http://openwall.com/lists/oss-security/2015/01/20/4 The issue is fixed in 6.1.24, and the upstream patch is linked in the message above. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Blocks: (none) => 14674Whiteboard: (none) => MGA4TOO
Debian has issued an advisory for this on January 20: https://www.debian.org/security/2015/dsa-3134
URL: (none) => http://lwn.net/Vulnerabilities/630218/
CVE-2015-1306 has been assigned: http://openwall.com/lists/oss-security/2015/01/22/4
Summary: sympa new security issue fixed upstream in 6.1.24 => sympa new security issue fixed upstream in 6.1.24 (CVE-2015-1306)
sympa 6.1.24 commited in cauldron, freeze fush pending. sympa 6.1.17-3.1 submitted in updates_testing for mageia 4. Suggested advisory: A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area.
Status: NEW => ASSIGNED
Thanks Guillaume! Advisory: ======================== Updated sympa packages fix security vulnerability: A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area (CVE-2015-1306). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1306 https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting https://www.debian.org/security/2015/dsa-3134 ======================== Updated packages in core/updates_testing: ======================== sympa-6.1.17-3.1.mga4 sympa-www-6.1.17-3.1.mga4 from sympa-6.1.17-3.1.mga4.src.rpm
CC: (none) => guillomovitchVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: guillomovitch => qa-bugsWhiteboard: MGA4TOO => (none)
MGA4-64 on HP Probook 6555b. No installation issues. Ref bug 6772 trying to find a way to test. Ran configuration wizard accepting the defaults. Run this as root, normal user would not do. As normal user point firefox to http://localhost/sympa This results in downloading a .bin file (type executable), but then????
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #5) > As normal user point firefox to http://localhost/sympa > This results in downloading a .bin file (type executable), but then???? Check your web server configuration: if you don't have an handler defined for .fcgi files, apache will serve it as an unknown file type, instead of executing it.
I've found an additional problem. When configured to use a mysql db, the sympa service is trying to start before the mysql service, so it fails to start at bootup. It will start after mysql has started, so it isn't a configuration issue.
CC: (none) => davidwhodgins
Got the advice from discussion list to install apache-mod_fcgi, did that, but the result is ther same
(In reply to Herman Viaene from comment #8) > Got the advice from discussion list to install apache-mod_fcgi, did that, > but the result is ther same As already said, you're likely to miss a configuration directive, not a specific piece of software.
See https://bugs.mageia.org/show_bug.cgi?id=6772#c5 for a previous similar issue
Perhaps a possible source of breakage is here: http://svnweb.mageia.org/packages/cauldron/apache-mod_fcgid/current/SOURCES/mod_fcgid.conf?r1=280773&r2=280770&pathrev=280773 Maybe mod_fcgid.conf needs to have this added? AddHandler fcgid-script fcg fcgi fpl
I also wonder whether the FcgidIPCDir should still be there.
(In reply to David Walser from comment #11) > Perhaps a possible source of breakage is here: > http://svnweb.mageia.org/packages/cauldron/apache-mod_fcgid/current/SOURCES/ > mod_fcgid.conf?r1=280773&r2=280770&pathrev=280773 > > Maybe mod_fcgid.conf needs to have this added? > AddHandler fcgid-script fcg fcgi fpl Nevermind, all of that stuff was moved to fcgid.conf.
Testing mga4 64 Followed the README.urpmi which gives brief details how to proceed. Created database with user. Configured /etc/my.cnf not to skip-networking. Changed the fastcgi-scripts handlers in /etc/httpd/conf/sites.d/sympa.conf to fcgid-scripts and installed apache-mod_fcgid. Checked the handler is set in /etc/httpd/conf/conf.d/fcgid.conf Getting nowhere with this. It downloads a binary rather than running it as a cgi script. It's probably something trivial I'm missing but no idea what.
Requesting sysadmin assist for this one please. We need to ensure it's right as it'll be used on our servers.
CC: (none) => sysadmin-bugs
Everything works fine with a correct handler defined for .fcgi scripts: - either 'cgi-script' - either 'fcgid-script' (automatically done by apache-mod_fcgid default configuration) 'fastcgi-script' is an handler for mod_fastcgi, which is obsolete, and unavailable anymore in the distribution. I just fixed the *default* apache configuration to define cgi-script handler only if mod_fcgid is not available, it should be enough. Beware of browser caching when testing. Two remarks: - this is not a regression, the problem was already present in the original package for mageia4 - this only affect the web interface, which is only a component of sympa
I forgot in my previous comment: you have to ensure than the handler selected is consistent with use_fast_cgi setting in /etc/sympa/wwsympa.conf
LWN made this entry for CVE-2015-1306: http://lwn.net/Vulnerabilities/632570/ I asked them to combine it with the previous one.
David, your link results in "Error 404".
MGA4-64 on HP Probook 6555b. I did remove the sympa packages previously, so today I reinstalled the 6.16.1.17-3.2 packages, after checked that mod_fcgi was installed. Now the sympa page "Mailing list services" opens OK.
Whiteboard: (none) => MGA4-64-OK
(In reply to Herman Viaene from comment #19) > David, your link results in "Error 404". Yep, they combined it back into the one listed in the URL at the top of the bug.
MGA4-32 on Acer D620. After doing all steps I run into: Server error! The server encountered an internal error and was unable to complete your request. Error message: End of script output before headers: wwsympa-wrapper.fcgi when pointing firefox at http://localhost/sympa
Check your logs in /var/log/httpd, there should be more information about why you got the end of script output message. Also, did you have have apache-mod_fcgi installed for that test?
apache-mod_fcgi is installed access_log: 127.0.0.1 - - [17/Feb/2015:14:31:04 +0100] "GET /sympa/ HTTP/1.1" 500 1061 "-" "Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0" error_log: Can't locate FCGI.pm in @INC (you may need to install the FCGI module) (@INC contains: /usr/share/sympa/lib /usr/lib/perl5/site_perl/5.18.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.18.1 /usr/lib/perl5/vendor_perl/5.18.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.18.1 /usr/lib/perl5/5.18.1/i386-linux-thread-multi /usr/lib/perl5/5.18.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.16.2 /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/5.18.1/CGI/Fast.pm line 25. BEGIN failed--compilation aborted at /usr/lib/perl5/5.18.1/CGI/Fast.pm line 25. Compilation failed in require at /usr/lib/sympa/cgi/wwsympa.fcgi line 121. [Tue Feb 17 14:31:16.798699 2015] [fcgid:warn] [pid 6551] (104)Connection reset by peer: [client 127.0.0.1:46155] mod_fcgid: error reading data from FastCGI server [Tue Feb 17 14:31:16.798894 2015] [core:error] [pid 6551] [client 127.0.0.1:46155] End of script output before headers: wwsympa-wrapper.fcgi I installed packages fcgi, libfcgi0 and perl-FCGI and that solved the problem. "Mailing list services" page is now displayed.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
So we have a missing requires on perl-FCGI in some package, but I'm not sure which one it belongs in.
I guess it should probably be suggests/recommends (whichever we use now) for apache-mod_fcgid. I think sypma is probably not at fault here. Guillaume any thoughts?
The FCGI perl module is actually a dependency of CGI/Fast perl module, which is distributed either as a CORE perl package, either as a separated perl-CGI package. Given this multiple distribution, it was simpler to add another soft dependency to sympa-www package, both for mageia 4 and for cauldron.
Yeah, I saw the multiple distributions of the Fast.pm, which is why I wasn't sure what to do about this. Thanks for the fix Guillaume! The sympa SRPM for mga4 is now sympa-6.1.17-3.3.mga4. This one should be good.
Advisory uploaded. Are the -OK tags still valid or should they be cleaned?
CC: (none) => remiWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
(In reply to Rémi Verschelde from comment #29) > Advisory uploaded. Are the -OK tags still valid or should they be cleaned? It's already been verified to be working, so they don't necessarily need to be cleaned just because it was rebuilt. All that was added was a recommends on perl-FCGI. Maybe someone could double-check it with rpmdiff or something, but it should still be OK. As long as it still installs fine and there wasn't a typo or something, it should be ready to go based on the testing that's been done.
Testing complete mga4 64 \o/ Taking Herman's previous testing into account I'll validate this one now. Please push to 4 updates Thanks
Keywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0085.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED