Date: Sun, 24 May 2020 16:34:47 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 246701] mail/sympa upgrade to 6.2.56 Message-ID: <bug-246701-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246701 Bug ID: 246701 Summary: mail/sympa upgrade to 6.2.56 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: wfdudley@gmail.com CC: dgeo@centrale-marseille.fr Flags: maintainer-feedback?(dgeo@centrale-marseille.fr) CC: dgeo@centrale-marseille.fr A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers: FastCGI wrappers newaliases wrapper The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fc= gi) were used to make the web interface running under privileges of a dedicated user. The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges. Since these setuid wrappers did not clear environment variables, if environ= ment variables like PERL5LIB were injected, forged code might be loaded and exec= uted under privileges of setuid-ed users. More here: https://github.com/sympa-community/sympa/releases/tag/6.2.56 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246701-7788>