Debian Bug report logs -
#976020
sympa: CVE-2020-29668: Unauthorized access to review call of the SOAP API
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <sympa@packages.debian.org>:
Bug#976020; Package sympa.
(Sat, 28 Nov 2020 12:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
New Bug report received and forwarded. Copy sent to Debian Sympa team <sympa@packages.debian.org>.
(Sat, 28 Nov 2020 12:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package: sympa
version: 6.2.58~dfsg-2
severity: important
tags: security
forwarded: https://github.com/sympa-community/sympa/issues/1041
It is possible to retrieve the email addresses of a list through the SOAP API without proper authentication.
This requires the following knowledge:
- name of the list
- email of an user that is allowed to see the email addresses OR a valid session id
The SOAP API is not activated with the default Debconf settings.
Patch attached.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
[soap-api-access-fix.diff (text/x-patch, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Marked as found in versions sympa/6.2.40~dfsg-7.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Sat, 28 Nov 2020 13:03:02 GMT) (full text, mbox, link).
Marked as found in versions sympa/6.2.40~dfsg-1.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Sat, 28 Nov 2020 13:03:02 GMT) (full text, mbox, link).
Marked as found in versions 6.2.16~dfsg-3+deb9u4.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Sat, 28 Nov 2020 13:03:03 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Sat, 28 Nov 2020 13:03:04 GMT) (full text, mbox, link).
Reply sent
to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility.
(Sat, 28 Nov 2020 17:09:03 GMT) (full text, mbox, link).
Notification sent
to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Bug acknowledged by developer.
(Sat, 28 Nov 2020 17:09:03 GMT) (full text, mbox, link).
Message #18 received at 976020-close@bugs.debian.org (full text, mbox, reply):
Source: sympa
Source-Version: 6.2.58~dfsg-2
Done: Stefan Hornburg (Racke) <racke@linuxia.de>
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 976020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Nov 2020 15:41:21 +0100
Source: sympa
Architecture: source
Version: 6.2.58~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Sympa team <sympa@packages.debian.org>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Closes: 976020
Changes:
sympa (6.2.58~dfsg-2) unstable; urgency=low
.
* Apply patch to fix unauthorized access to review call of the SOAP API
(Closes: #976020).
* Add debconf-updatepo to clean target.
.
[ Sylvain Beucler ]
* Ask the user whether they want/need sympa_newaliases-wrapper to
be setuid root (CVE-2020-26880 mitigation)
Checksums-Sha1:
413e726ac7b514d033b0af303f81da30e8860e97 2517 sympa_6.2.58~dfsg-2.dsc
49f3e19bc9212ddd040d1ede87db7ea0164e6f9e 166160 sympa_6.2.58~dfsg-2.debian.tar.xz
a0c848e13c4e335c541052ef9a85cda600a26e1a 14974 sympa_6.2.58~dfsg-2_amd64.buildinfo
Checksums-Sha256:
61b1235c7ee3f11260e6dc726c909bf4e758c6daa992f10624bad12c617f185f 2517 sympa_6.2.58~dfsg-2.dsc
afc5bc31ee2f86144fd139f7326a7a2e4734cda6fd42a09e62692210340b679b 166160 sympa_6.2.58~dfsg-2.debian.tar.xz
2ee6f69a42db704ab903b817223b0daf21fdc0d2a7cf656b4915988c18222684 14974 sympa_6.2.58~dfsg-2_amd64.buildinfo
Files:
5bb428617f74d99d8235880b4436ae08 2517 mail optional sympa_6.2.58~dfsg-2.dsc
b236330ab79717d39197dff82a1444d3 166160 mail optional sympa_6.2.58~dfsg-2.debian.tar.xz
e997cdbc99109915b2dd0e95325c2f00 14974 mail optional sympa_6.2.58~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl/CfU0RHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPitSxAAu6OWyZ0P9oFuyY6lwPrrrZnBonujoTF7
HneXZ9SFQVDQWEfihAruDw+yYjP3UtSq9Ytp9uq4BcaLMJuuBUT8kKgtYx96LY2U
UN/j3z8CuA+wbgaJ+j3f/jxS1bd1ht77ZVxjodxXRr65wb3IjbB7w6O2SVso74fT
Vcd9iKBMItlHA8w5OH9rzQnuRnr0nEModyozggZGqcTo0JGZIwlQ54yPE/NGdjuv
FBg3CRWJT/1vX0Pnkpp/wvB21c0iZi4nx+t8WjqlTj7exVj6kYuebASTMgPAQ45K
kIWGsAPt/A1n+HhMC8HSTOP5/FjtBO5dZhPHvzx2/7I8Y+tHf801d/CsQZRsYt86
LV91/rvYfu/Yw+4tohkkIaVLUsiNPiP7Fa6F/8gcV7ZLpdNz9mSmfc21No66wfyK
DK4OCR7fFJQWwwA3XNu8yrADNxhsk9HKmQRruKLrk+dSi26PhkX85sQ7NMD5ZUCw
/wzAwn9aTmPmAtPAeZZl94VTaohQvcBP7MPCMpFxWLUf2XBb0exYpsuh4Q8FOVI/
Hoqiep63YfrEzzcRwfLT9WwAgzzOfSmfIm2Qn7urpk01iPulSVOQImqwO5Z9O0ZU
zT+6m8zres5y2VDALjcComFGPVOWb0VgcFETpLPr+bIYE7A7Kl/NWu/g5xf89VvK
iUdsW54WD/M=
=opGD
-----END PGP SIGNATURE-----
Changed Bug title to 'sympa: CVE-2020-29668: Unauthorized access to review call of the SOAP API' from 'Unauthorized access to review call of the SOAP API'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Dec 2020 20:21:08 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Dec 2020 20:21:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Dec 11 07:58:35 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon