Sympa has issued an advisory on July 3: https://sympa-community.github.io/security/2018-001.html Debian has issued an advisory for this on September 5: https://www.debian.org/security/2018/dsa-4285 The issue is fixed upstream in 6.2.32. Mageia 5 is also affected.
Assigning to the registered maintainer. CC'ing our sysadmins, because of sympa in our infra.
CC: (none) => marja11, sysadmin-bugsAssignee: bugsquad => guillomovitch
No need to think about infra... (for once...) :) Infra is updated since a long time ago :) # rpm -qa --last |grep sympa sympa-www-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:52:31 PM CEST sympa-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:27 PM CEST sympa-postgresql-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:26 PM CEST But I think it's better to patch sympa in updates, as there are schema changes between 6.2.16 and 6.2.32 that would make it need manual intervention...
CC: (none) => tmb
sympa-6.2.16-1.1.mga6, fixing the issue, submitted in updates_testing.
Assignee: guillomovitch => qa-bugs
Thanks Guillaume! Advisory: ======================== Updated sympa packages fix security vulnerability: Michael Kaczmarczik discovered a vulnerability in the web interface template editing function of Sympa, a mailing list manager. Owner and listmasters could use this flaw to create or modify arbitrary files in the server with privileges of sympa user or owner view list config files even if edit_list.conf prohibits it (CVE-2018-1000550). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000550 https://sympa-community.github.io/security/2018-001.html https://www.debian.org/security/2018/dsa-4285 ======================== Updated packages in core/updates_testing: ======================== sympa-6.2.16-1.1.mga6 sympa-www-6.2.16-1.1.mga6 from sympa-6.2.16-1.1.mga6.src.rpm
CC: (none) => guillomovitch
MGA6-32 MATE on IBM Thinkpad R50e No installation issues at first. Consulting bug 15097 and bug 6772, found out I had to manually install apache-mod_fgci. Why isn't that a dependency??? Restarted httpd after this installation, and pointed to http://127.0.0.1/sympa/ This resulted in Server Error: End of script output before headers: wwsympa-wrapper.fcgi Further looking in bugs above and googling on the error brings me references to file /etc/sympa/wwsympa.conf , bu this file does not exist here.
CC: (none) => herman.viaene
mod_fcgi is a soft dependency for the web interface, as you can perfectly run it as a standard CGI. And wwsympa.conf is an obsolete configuration file, all related directives are now loaded from regular /etc/sympa/sympa.conf file.
After finding in bug6772 Comment 2 that one has to run sympa_wizard.pl, I I could proceed, accepting almost all default values in the configuration wizard. Then I could connect to http://127.0.0.1/sympa/, but trying to login does not seem to have any effect, and selecting any of the other pages just throws the "Error 404".
No response to this bug for nearly six months. Mageia 6 goes EOL very soon. What are we to do with this?
CC: (none) => andrewsfarm
Has anyone else tried to test this? Is the supposed issue a regression or operator error? It looks like the package was just patched and is likely fine and should have been pushed a long time ago.
I guess this is an operator error. Sympa web interface may be quite difficult to setup for someone not familiar with configuring a web server manually.
OK, Herman did have a clean installation in 32-bit, so I'm going to OK it based on that and validate, sending it on its way. Advisory in Comment 4.
Whiteboard: (none) => MGA6-32-OKKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0263.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
After updating my sympa server I now have an issue: [Mon Sep 30 16:50:51.430367 2019] [core:notice] [pid 6071] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' err Conf::_load_binary_cache() Could not create new lock, error was : Couldn't open "/etc/sympa/sympa.conf.bin,lock.5058.6097.5135" [Permission denied] Use of uninitialized value in string eq at /usr/share/sympa/lib/Conf.pm line 2217. I'm trying to change ownergroup of the /etc/sympa dir to have apache user as well as sympa able to create the lock file, but without any luck. Am I missing somthing ?
Resolution: FIXED => (none)CC: (none) => brunoStatus: RESOLVED => REOPENED
You'll need to open a new bug for that.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED