[Pkg-sympa-devel] [SECURITY] [DSA 2477-1] sympa security update

Dario Minnucci midget at debian.org
Wed May 23 14:27:31 UTC 2012 

Hi Team,

(Please, Cc me if needed because I'm not a subscriber)

Just for the record.

After upgrading sympa to 6.0.1+dfsg-4+squeeze1 mail delivery stopped working due to wrong user,
group and perms on /usr/lib/sympa/lib/sympa/queue

I've solved this as proposed in BTS #581849 [0].


 # chown sympa:sympa /usr/lib/sympa/lib/sympa/queue
 # chmod u+s /usr/lib/sympa/lib/sympa/queue


I think I've performed these changes originally when I installed sympa for the very first time on
this server, so seems that /usr/lib/sympa/lib/sympa/queue was overwritten by the upgrade installing
the file as root:root 0755


Hope this help for possibles issues in the future.

Regards,


[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581849



On 05/20/2012 08:54 PM, Florian Weimer wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-2477-1                   security at debian.org
> http://www.debian.org/security/                            Florian Weimer
> May 20, 2012                           http://www.debian.org/security/faq
> -------------------------------------------------------------------------
> 
> Package        : sympa
> Vulnerability  : authorization bypass
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2012-2352
> Debian Bug     : 
> 
> Several vulnerabilities have been discovered in Sympa, a mailing list
> manager, that allow to skip the scenario-based authorization
> mechanisms. This vulnerability allows to display the archives
> management page, and download and delete the list archives by
> unauthorized users.
> 
> For the stable distribution (squeeze), this problem has been fixed in
> version 6.0.1+dfsg-4+squeeze1.
> 
> For the testing distribution (wheezy), this problem will be fixed
> soon.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 6.1.11~dfsg-2.
> 
> We recommend that you upgrade your sympa packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce at lists.debian.org
> 
> 

-- 
 Dario Minnucci <midget at debian.org>
 Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000
 Key fingerprint = BAA1 7AAF B21D 6567 D457  D67D A82F BB83 F3D5 7033


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sympa-devel/attachments/20120523/4e431349/attachment.pgp>

More information about the Pkg-sympa-devel mailing list