Debian Bug report logs -
#672893
security: private archives available to all
Reported by: Micah Anderson <micah@debian.org>
Date: Mon, 14 May 2012 14:48:04 UTC
Severity: grave
Tags: patch, security
Merged with 672859
Found in version sympa/6.0.1+dfsg-4
Fixed in version sympa/6.0.1+dfsg-4+squeeze1
Done: Emmanuel Bouthenot <kolter@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, micah@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#672893; Package sympa.
(Mon, 14 May 2012 14:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to micah@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Mon, 14 May 2012 14:48:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sympa
Version: 6.0.1+dfsg-4
Severity: grave
Tags: security patch
Justification: user security hole
It is possible to open the archive management ("arc_manage") page
for any list, even those set to only be available to members,
giving anyone the option to download the archive, or delete the
archive.
http://www.sympa.org/distribution/latest-stable/NEWS
Patch for the version in stable:
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358
Please reference CVE-2012-2352 in any changelogs addressing this issue.
micah
System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Merged 672859 672893
Request was from Emmanuel Bouthenot <kolter@debian.org>
to control@bugs.debian.org.
(Mon, 14 May 2012 17:39:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#672893; Package sympa.
(Tue, 15 May 2012 15:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to David Verdin <david.verdin@renater.fr>:
Extra info received and forwarded to list. Copy sent to Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Tue, 15 May 2012 15:09:03 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
Some usefull informations regarding the vulnerability and the versions
of Sympa fixing it can found on the security advisories page of the
Sympa web site:
https://www.sympa.org/security_advisories
Regards,
David
Le 14/05/12 16:45, Micah Anderson a écrit :
> Package: sympa
> Version: 6.0.1+dfsg-4
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> It is possible to open the archive management ("arc_manage") page
> for any list, even those set to only be available to members,
> giving anyone the option to download the archive, or delete the
> archive.
>
> http://www.sympa.org/distribution/latest-stable/NEWS
>
> Patch for the version in stable:
> https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358
>
> Please reference CVE-2012-2352 in any changelogs addressing this issue.
>
> micah
>
> System Information:
> Debian Release: wheezy/sid
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#672893; Package sympa.
(Tue, 15 May 2012 16:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to David Verdin <david.verdin@renater.fr>:
Extra info received and forwarded to list. Copy sent to Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Tue, 15 May 2012 16:15:07 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bouthenot <kolter@debian.org>:
You have taken responsibility.
(Thu, 24 May 2012 22:09:08 GMT) (full text, mbox, link).
Notification sent
to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(Thu, 24 May 2012 22:09:08 GMT) (full text, mbox, link).
Message #22 received at 672893-close@bugs.debian.org (full text, mbox, reply):
Source: sympa
Source-Version: 6.0.1+dfsg-4+squeeze1
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:
sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
sympa_6.0.1+dfsg-4+squeeze1.dsc
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1.dsc
sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672893@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kolter@debian.org> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 19 May 2012 15:49:55 +0000
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 6.0.1+dfsg-4+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>
Changed-By: Emmanuel Bouthenot <kolter@debian.org>
Description:
sympa - Modern mailing list manager
Closes: 672893
Changes:
sympa (6.0.1+dfsg-4+squeeze1) stable-security; urgency=high
.
* Fix CVE-2012-2352: Possibility to bypass the authorization mechanisms in
the archive management page of wwsympa (Closes: #672893)
Checksums-Sha1:
162c35d2e518c77807208e80e0d57e87af495a93 2580 sympa_6.0.1+dfsg-4+squeeze1.dsc
9efaf6c3531c635ba935ec589545584e36228a60 4675743 sympa_6.0.1+dfsg.orig.tar.gz
f60592589f92c13532f4b675b6b344c1f969e047 108365 sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
fc4a079368cdbcd7a7fd18ffd399fe88f567e6db 2524590 sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
Checksums-Sha256:
e1b5e06327d23f210762ae7c22c6c4211f0e667eb39644aeb170a174e60e93ae 2580 sympa_6.0.1+dfsg-4+squeeze1.dsc
a5637ff0d870c0d266fcbadaf6a45c3d0f7dd3397e413a7731b62ad34a6d2e6b 4675743 sympa_6.0.1+dfsg.orig.tar.gz
8f3e39b68ad8c30c90577cd9a514e356725691cf5b150982d1381437c39583e5 108365 sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
6569d4ad481bec65f4af39230334b960bdc8a3bc0e85ee5aac79f91b48e3d380 2524590 sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
Files:
43de70f43a457e8415a8411eb5af7ee6 2580 mail optional sympa_6.0.1+dfsg-4+squeeze1.dsc
fe14224f015aa79dee67979e65f8a988 4675743 mail optional sympa_6.0.1+dfsg.orig.tar.gz
857d6fcabba5325330874e859bef60ca 108365 mail optional sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
3c66d31c7c7afa879165043097b480e5 2524590 mail optional sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPuRUiAAoJEEsHdyOSnULDeIgP/26ryNFJsr4uHKdN0uI/AfJ4
pnIM3zCWTEK1svlrL8w6GsAcji9ij3McMV701G7LKGimBpGD8yR/qvRuMaJbUyCh
gHjoVMQwlvaWv81QMtVbgFgWA3HD9UVTcjJp0NAkz/5Wc/zRPzXWdMmy3smq5yRU
Pb4bBH5l3t7shMEgpHvApIlY0BcScZ3bbx7KIJ+dfZDjbrYFWr8/ZP9DrHuGkhD8
QbeRphwZQBTuDDm73Ewqu933kKnHKyu0KrZzw8uhU/2Lf1qp39HxV02GI2Hz/OAb
dKNVQ4WTEP/tveqoaJOkS+9wuudrnRaZKXWDu73v0j/pEkTXS+b5BWnAEGa2EuBE
rz9Z09jSKfjsrwPXOVjMHkOD5x3jYdAevvmcwgUZzfsXZTC7s/MX4TyNkdF1CJqP
WzQ5vVpbtC0Ov7NxIWJ6uN5prkXHb4qRXJSavLk5+aYDCI/6mEDYb6gOoEVmJ9nY
EWoUgePv05MAsKFnPX/twtuMu05rMoYXk/RJ36vvXD+RrDGCeBPY1L/jSCLHwlDC
eBu2aj5vcedOxuQmglYK1Vc1pUHp073u14A0cCxw5WkeATaFQn1ynTTUhOSTz5SV
oiNVIb8S0mkIDtert7joKOSBesKdYvHo7vrK80kl64CSBc9XosfOlDaCl9OOVClx
Q6KNFM5jOFczy1kx5axH
=Nvfq
-----END PGP SIGNATURE-----
Reply sent
to Emmanuel Bouthenot <kolter@debian.org>:
You have taken responsibility.
(Thu, 24 May 2012 22:09:10 GMT) (full text, mbox, link).
Notification sent
to George Kargiotakis <kargig@noc.grnet.gr>:
Bug acknowledged by developer.
(Thu, 24 May 2012 22:09:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2012 07:29:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:11:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon