[Pkg-sympa-devel] [SECURITY] [DSA 2477-1] sympa security update
Dario Minnucci
midget at debian.org
Wed May 23 14:27:31 UTC 2012
Hi Team,
(Please, Cc me if needed because I'm not a subscriber)
Just for the record.
After upgrading sympa to 6.0.1+dfsg-4+squeeze1 mail delivery stopped working due to wrong user,
group and perms on /usr/lib/sympa/lib/sympa/queue
I've solved this as proposed in BTS #581849 [0].
# chown sympa:sympa /usr/lib/sympa/lib/sympa/queue
# chmod u+s /usr/lib/sympa/lib/sympa/queue
I think I've performed these changes originally when I installed sympa for the very first time on
this server, so seems that /usr/lib/sympa/lib/sympa/queue was overwritten by the upgrade installing
the file as root:root 0755
Hope this help for possibles issues in the future.
Regards,
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581849
On 05/20/2012 08:54 PM, Florian Weimer wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-2477-1 security at debian.org
> http://www.debian.org/security/ Florian Weimer
> May 20, 2012 http://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : sympa
> Vulnerability : authorization bypass
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2012-2352
> Debian Bug :
>
> Several vulnerabilities have been discovered in Sympa, a mailing list
> manager, that allow to skip the scenario-based authorization
> mechanisms. This vulnerability allows to display the archives
> management page, and download and delete the list archives by
> unauthorized users.
>
> For the stable distribution (squeeze), this problem has been fixed in
> version 6.0.1+dfsg-4+squeeze1.
>
> For the testing distribution (wheezy), this problem will be fixed
> soon.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 6.1.11~dfsg-2.
>
> We recommend that you upgrade your sympa packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce at lists.debian.org
>
>
--
Dario Minnucci <midget at debian.org>
Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000
Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sympa-devel/attachments/20120523/4e431349/attachment.pgp>
More information about the Pkg-sympa-devel
mailing list