Fedora has issued an advisory on June 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN/ The issue is fixed upstream in 6.2.56: https://github.com/sympa-community/sympa/releases/tag/6.2.56 https://sympa-community.github.io/security/2020-002.html
Assigning to tmb as the main sympa committer; CC'ing Guillaume as its registered maintainer.
Assignee: bugsquad => tmbCC: (none) => guillomovitch
Debian-LTS has issued an advisory for this on October 7: https://www.debian.org/lts/security/2020/dla-2401
Suggested advisory: ======================== The updated packages fix a security vulnerability: Sympa before 6.2.56 allows privilege escalation. (CVE-2020-10936) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10936 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN/ https://github.com/sympa-community/sympa/releases/tag/6.2.56 https://sympa-community.github.io/security/2020-002.html https://www.debian.org/lts/security/2020/dla-2401 ======================== Updated packages in core/updates_testing: ======================== sympa-6.2.42-1.2.mga7 sympa-www-6.2.42-1.2.mga7 sympa-mysql-6.2.42-1.2.mga7 sympa-postgresql-6.2.42-1.2.mga7 from SRPM: sympa-6.2.42-1.2.mga7.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-10936Status: NEW => ASSIGNEDAssignee: tmb => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Ref a load of previous update bugs on it, but nowhere a working example. Found that the wizard does not create anything on the mysql database. Found https://sympa-community.github.io/manual/install.html Checked sympa.conf, created database as in the manual, checked further the sympa.conf accordingly, but all in vain. All I get is the sympa Welcome screen, the login button does not do anything and all the other links throw Error 404. Clean install ?????
CC: (none) => herman.viaene
For Mageia 7 infra, the patch needs to be applied to https://svnweb.mageia.org/packages/updates/infra_7/sympa/
CC: (none) => sysadmin-bugs
Debian-LTS has issued an advisory on November 9: https://www.debian.org/lts/security/2020/dla-2441 It fixes a new security issue (Mageia 7 and Cauldron are affected).
CC: (none) => qa-bugsAssignee: qa-bugs => nicolas.salgueroVersion: 7 => CauldronWhiteboard: (none) => MGA7TOOSummary: sympa new security issue CVE-2020-10936 => sympa new security issues CVE-2020-10936 and CVE-2020-26880
(In reply to Thomas Backlund from comment #5) > For Mageia 7 infra, the patch needs to be applied to > https://svnweb.mageia.org/packages/updates/infra_7/sympa/ Infra patched for CVE-2020-10936
(In reply to David Walser from comment #6) > Debian-LTS has issued an advisory on November 9: > https://www.debian.org/lts/security/2020/dla-2441 > > It fixes a new security issue (Mageia 7 and Cauldron are affected). The "fix" for this is to remove setuid wrappers with config option: https://github.com/sympa-community/sympa/pull/1032/commits/a0cb7ef20701dbd9e102a3ffa9267138b1bae638 I've manually removed suid bit on infra for now
(In reply to Thomas Backlund from comment #7) > (In reply to Thomas Backlund from comment #5) > > For Mageia 7 infra, the patch needs to be applied to > > https://svnweb.mageia.org/packages/updates/infra_7/sympa/ > > Infra patched for CVE-2020-10936 And reverted. The fix breaks session handling, wich also explains the trouble Herman had in comment 4. Seems Debian hit the same problem... We need to fix it properly...
Debian-LTS has issued an advisory on December 17: https://www.debian.org/lts/security/2020/dla-2499 This new issue is apparently fixed upstream in 6.2.59b.2.
Summary: sympa new security issues CVE-2020-10936 and CVE-2020-26880 => sympa new security issues CVE-2020-10936, CVE-2020-26880, and CVE-2020-29668Severity: normal => major
Debian has issued an advisory for this on December 23: https://www.debian.org/security/2020/dsa-4818
Status comment: (none) => Fixed upstream in 6.2.59b.2
yes but this is a beta. Sympa 6.2.60 should be relased soon
CC: (none) => mageia
f6.2.60 final is planned for the 4rd of January. Maybe we can update to beta2 and update to final after. WDYT ?
I think it would be fine. What does tmb think?
I don't intend to issue two update myself, but feel free to do so if you feel compelled to. This problem is actually 4 years old, if you read the thread on github, I don't think waiting just another week will change much.
CVE-2020-29668 Fixed with https://github.com/sympa-community/sympa/releases/tag/6.2.60
CC: (none) => bruno
Sympa 6.2.60 is in the SVN. Freeze push asked.
new sympa available on cauldron
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Fedora has issued an advisory for this on January 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/
Status comment: Fixed upstream in 6.2.59b.2 => Fixed upstream in 6.2.60
Severity: major => critical
Assignee: nicolas.salguero => pkg-bugs
@guillaume: do have a problem if i update sympa to 6.2.60 on mageia 7 ?
Doing that means you are pushing schema changes in a stable release, which means after update sympa will fail to start until manual itervention and possible config changes are done.
ok so no-go. I will dig to find commits then.
Fix for CVE-2020-29668 added in svn. Can someone please help for CVE-2020-29668 ? https://github.com/sympa-community/sympa/issues/1009
Ping, just a reminder if we're gonna do anything with this, now's the time.
infra version is fixed now as of yesterday; thanks Thomas!
CC: (none) => tmb
Closing this as we have 6.2.60 in Mga8 release, and Mga infra is fixed
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Changing to OLD since we never pushed the update to Mageia 7 core/updates.
Resolution: FIXED => OLD