|
Message-ID: <877gwd4g91.fsf@algae.riseup.net> Date: Tue, 15 May 2012 11:26:50 -0400 From: micah anderson <micah@...eup.net> To: Kurt Seifried <kseifried@...hat.com>, oss-security@...ts.openwall.com Subject: Re: CVE request: sympa (try again) On Fri, 11 May 2012 23:58:33 -0600, Kurt Seifried <kseifried@...hat.com> wrote: > Ok I see this one and several more: > > ================================ > > 6.1.11 May 11, 2012 > Bug fixes: > [7358] wwsympa/wwsympa.fcgi.in: Fixing a potential security issue > related to archives This is the CVE-2012-2352 that you assigned, upstream Sympa has now created a page for security issues, this is one is detailed on there: https://www.sympa.org/security_advisories#security_advisories > > 6.1.1 October 22, 2010 > This version includes a lots news such as DKIM support, autosignoff > footer link included in lists messages, ... > Various vulnerability have been solved in 6.1.1 : cross side scripting, > cross-Site request forgeries, brute force attack, DOS. These > vulnerabilities were identified with the help of P. Gardenat (Rectorat > de Rennes) during a security audit on Sympa. > - --------------------- > web_tt2/error.tt2, wwsympa/wwsympa.fcgi.in: Now shared document > can't be read or edited unless list is open. This is a security fix > > ================================ > > 6.0 1st October 2009 > Security: > - - [reported by T. Retout] SQL injection threat removed by using place > holders instead of direct sprint in a query. > - - [Submitted by N. Bertrand, univ. Minnesota] Basic logs in debug > don't issue the password unencrypted in the logs for function > Auth::ldap_authentication. This way, this password won't be sent > unencrypted to a possible syslog server. > - - [#4439] [#4440] [reported by O.Berger] security vulnerability which > use a file in /tmp. > - - [#4430] store temporary files in Sympa's own tmp directory instead > of /tmp to prevent symlink attacks These issues were fixed a very long time ago, there was a security advisory in 2010, here is the French CERT advisory for them: http://www.certa.ssi.gouv.fr/site/CERTA-2010-AVI-505/ It appears that besides this most recent CVE, the only CVEs issued for Sympa have been in 2008, so these were not assigned numbers. micah ps - I would sign this message, but it seems like it would be eaten by EZLM :(
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.