Sympa has issued an advisory on July 3:
Debian has issued an advisory for this on September 5:
The issue is fixed upstream in 6.2.32.
Mageia 5 is also affected.
Assigning to the registered maintainer.
CC'ing our sysadmins, because of sympa in our infra.
No need to think about infra... (for once...) :)
Infra is updated since a long time ago :)
# rpm -qa --last |grep sympa
sympa-www-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:52:31 PM CEST
sympa-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:27 PM CEST
sympa-postgresql-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:26 PM CEST
But I think it's better to patch sympa in updates, as there are schema changes between 6.2.16 and 6.2.32 that would make it need manual intervention...
sympa-6.2.16-1.1.mga6, fixing the issue, submitted in updates_testing.
Updated sympa packages fix security vulnerability:
Michael Kaczmarczik discovered a vulnerability in the web interface template
editing function of Sympa, a mailing list manager. Owner and listmasters could
use this flaw to create or modify arbitrary files in the server with privileges
of sympa user or owner view list config files even if edit_list.conf prohibits
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues at first.
Consulting bug 15097 and bug 6772, found out I had to manually install apache-mod_fgci. Why isn't that a dependency???
Restarted httpd after this installation, and pointed to http://127.0.0.1/sympa/
This resulted in Server Error: End of script output before headers: wwsympa-wrapper.fcgi
Further looking in bugs above and googling on the error brings me references to file /etc/sympa/wwsympa.conf , bu this file does not exist here.
mod_fcgi is a soft dependency for the web interface, as you can perfectly run it as a standard CGI. And wwsympa.conf is an obsolete configuration file, all related directives are now loaded from regular /etc/sympa/sympa.conf file.
After finding in bug6772 Comment 2 that one has to run sympa_wizard.pl, I I could proceed, accepting almost all default values in the configuration wizard.
Then I could connect to http://127.0.0.1/sympa/, but trying to login does not seem to have any effect, and selecting any of the other pages just throws the "Error 404".
No response to this bug for nearly six months. Mageia 6 goes EOL very soon. What are we to do with this?
Has anyone else tried to test this? Is the supposed issue a regression or operator error? It looks like the package was just patched and is likely fine and should have been pushed a long time ago.
I guess this is an operator error. Sympa web interface may be quite difficult to setup for someone not familiar with configuring a web server manually.
OK, Herman did have a clean installation in 32-bit, so I'm going to OK it based on that and validate, sending it on its way.
Advisory in Comment 4.
An update for this issue has been pushed to the Mageia Updates repository.
After updating my sympa server I now have an issue:
[Mon Sep 30 16:50:51.430367 2019] [core:notice] [pid 6071] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
err Conf::_load_binary_cache() Could not create new lock, error was : Couldn't open "/etc/sympa/sympa.conf.bin,lock.5058.6097.5135" [Permission denied]
Use of uninitialized value in string eq at /usr/share/sympa/lib/Conf.pm line 2217.
I'm trying to change ownergroup of the /etc/sympa dir to have apache user as well as sympa able to create the lock file, but without any luck.
Am I missing somthing ?
You'll need to open a new bug for that.