Sympa has issued an advisory on July 3:
Debian has issued an advisory for this on September 5:
The issue is fixed upstream in 6.2.32.
Mageia 5 is also affected.
Assigning to the registered maintainer.
CC'ing our sysadmins, because of sympa in our infra.
No need to think about infra... (for once...) :)
Infra is updated since a long time ago :)
# rpm -qa --last |grep sympa
sympa-www-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:52:31 PM CEST
sympa-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:27 PM CEST
sympa-postgresql-6.2.32-1.mga6.infra.x86_64 Thu 14 Jun 2018 08:51:26 PM CEST
But I think it's better to patch sympa in updates, as there are schema changes between 6.2.16 and 6.2.32 that would make it need manual intervention...
sympa-6.2.16-1.1.mga6, fixing the issue, submitted in updates_testing.
Updated sympa packages fix security vulnerability:
Michael Kaczmarczik discovered a vulnerability in the web interface template
editing function of Sympa, a mailing list manager. Owner and listmasters could
use this flaw to create or modify arbitrary files in the server with privileges
of sympa user or owner view list config files even if edit_list.conf prohibits
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues at first.
Consulting bug 15097 and bug 6772, found out I had to manually install apache-mod_fgci. Why isn't that a dependency???
Restarted httpd after this installation, and pointed to http://127.0.0.1/sympa/
This resulted in Server Error: End of script output before headers: wwsympa-wrapper.fcgi
Further looking in bugs above and googling on the error brings me references to file /etc/sympa/wwsympa.conf , bu this file does not exist here.
mod_fcgi is a soft dependency for the web interface, as you can perfectly run it as a standard CGI. And wwsympa.conf is an obsolete configuration file, all related directives are now loaded from regular /etc/sympa/sympa.conf file.
After finding in bug6772 Comment 2 that one has to run sympa_wizard.pl, I I could proceed, accepting almost all default values in the configuration wizard.
Then I could connect to http://127.0.0.1/sympa/, but trying to login does not seem to have any effect, and selecting any of the other pages just throws the "Error 404".