Bug 26308 - Update request: sympa-6.2.42-1.1.mga7 (fixes CVE-2020-9369)
Summary: Update request: sympa-6.2.42-1.1.mga7 (fixes CVE-2020-9369)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-06 13:30 CET by Thomas Backlund
Modified: 2020-04-01 03:58 CEST (History)
3 users (show)

See Also:
Source RPM: sympa-6.2.42-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2020-03-06 13:30:48 CET 
Advisory:
Updated sympa packages fix security vulnerability:

Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of
service (disk consumption from temporary files, and a flood of
notifications to listmasters) via a series of requests with malformed
parameters (CVE-2020-9369).

ref:
https://sympa-community.github.io/security/2020-001.html


SRPM:
sympa-6.2.42-1.1.mga7.src.rpm


i586:
sympa-6.2.42-1.1.mga7.i586.rpm
sympa-mysql-6.2.42-1.1.mga7.i586.rpm
sympa-postgresql-6.2.42-1.1.mga7.i586.rpm
sympa-www-6.2.42-1.1.mga7.i586.rpm


x86_64:
sympa-6.2.42-1.1.mga7.x86_64.rpm
sympa-mysql-6.2.42-1.1.mga7.x86_64.rpm
sympa-postgresql-6.2.42-1.1.mga7.x86_64.rpm
sympa-www-6.2.42-1.1.mga7.x86_64.rpm
Thomas Backlund 2020-03-06 17:13:43 CET

Keywords: (none) => advisory

Comment 1 Herman Viaene 2020-03-09 16:01:18 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bugs 15097 and 6772 for config.
Run
/usr/sbin/sympa_wizard.pl
Accepting defaults except for passwords for mysql, no errors given
After that, checked phpmyadmin, seeing nothing like sympa.
Pointed firefox to http://localhost/sympa/, seeing there the name I gave during the wizard, but none of the links work (error 404) and the login link doesn't do anything at all.
And yes, mod_fcgid is installed.

CC: (none) => herman.viaene

Comment 2 David Walser 2020-03-13 18:12:48 CET 
Fedora has issued an advisory for this on March 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XO4WJYNNHWM7DUKCN4EWYYYPXZSOI7BQ/

The issue is fixed upstream in 6.2.54 (and patched by us obviously).

Source RPM: sympa => sympa-6.2.42-1.mga7.src.rpm
Summary: Update request: sympa-6.2.42-1.1.mga7 => Update request: sympa-6.2.42-1.1.mga7 (fixes CVE-2020-9369)

Comment 3 Thomas Andrews 2020-03-26 23:08:27 CET 
Referring to Bug 23536, I see that the last update to sympa sat around for months before I finally validated it based on Herman's clean install.

We have the same situation now, but I see no reason to wait so long this time. Giving this a 64-bit OK based once again on Herman's effort, and validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 4 Mageia Robot 2020-04-01 03:58:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0146.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.