Debian Bug report logs -
#908165
sympa: CVE-2018-1000671
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#908165; Package src:sympa.
(Thu, 06 Sep 2018 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Thu, 06 Sep 2018 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sympa
Version: 6.2.16~dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/sympa-community/sympa/issues/268
Hi,
The following vulnerability was published for sympa, filled to start
tracking the upstream issue. AFAIK, there is no fix avaialbe yet.
CVE-2018-1000671[0]:
| sympa version 6.2.16 and later contains a CWE-601: URL Redirection to
| Untrusted Site ('Open Redirect') vulnerability in The "referer"
| parameter of the wwsympa.fcgi login action. that can result in Open
| redirection and reflected XSS via data URIs. This attack appear to be
| exploitable via Victim's browser must follow a URL supplied by the
| attacker. This vulnerability appears to have been fixed in none
| available.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000671
[1] https://github.com/sympa-community/sympa/issues/268
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#908165; Package src:sympa.
(Fri, 07 Sep 2018 06:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Fri, 07 Sep 2018 06:21:05 GMT) (full text, mbox, link).
Message #10 received at 908165@bugs.debian.org (full text, mbox, reply):
On 9/6/18 10:36 PM, Salvatore Bonaccorso wrote:
> Source: sympa
> Version: 6.2.16~dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sympa-community/sympa/issues/268
>
> Hi,
>
> The following vulnerability was published for sympa, filled to start
> tracking the upstream issue. AFAIK, there is no fix avaialbe yet.
>
> CVE-2018-1000671[0]:
> | sympa version 6.2.16 and later contains a CWE-601: URL Redirection to
> | Untrusted Site ('Open Redirect') vulnerability in The "referer"
> | parameter of the wwsympa.fcgi login action. that can result in Open
> | redirection and reflected XSS via data URIs. This attack appear to be
> | exploitable via Victim's browser must follow a URL supplied by the
> | attacker. This vulnerability appears to have been fixed in none
> | available.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000671
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000671
> [1] https://github.com/sympa-community/sympa/issues/268
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
Hello Salvatore,
upstream is working on a fix for this problem, so we can expect a patch in the next few days.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 17 Sep 2018 18:24:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>:
Bug#908165; Package src:sympa.
(Wed, 19 Sep 2018 20:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Abhijith PA <abhijith@disroot.org>:
Extra info received and forwarded to list. Copy sent to Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>.
(Wed, 19 Sep 2018 20:00:03 GMT) (full text, mbox, link).
Message #17 received at 908165@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi.
I've prepared an update for the oldstable-security from upstream commits.
abhijith.
[sympa_deb8u3.debdiff (text/plain, attachment)]
Reply sent
to Emmanuel Bouthenot <kolter@debian.org>:
You have taken responsibility.
(Thu, 27 Sep 2018 21:39:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Sep 2018 21:39:08 GMT) (full text, mbox, link).
Message #22 received at 908165-close@bugs.debian.org (full text, mbox, reply):
Source: sympa
Source-Version: 6.2.36~dfsg-1
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kolter@debian.org> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Sep 2018 12:58:58 +0000
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 6.2.36~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Sympa team <sympa@packages.debian.org>
Changed-By: Emmanuel Bouthenot <kolter@debian.org>
Description:
sympa - Modern mailing list manager
Closes: 898793 904501 908165 908431
Changes:
sympa (6.2.36~dfsg-1) unstable; urgency=medium
.
* New upstream release
- No longer ships normalize.css (Closes: #898793)
- Fix XSS vulnerability: CVE-2018-1000671 (Closes: #908165)
* Remove dependency on libjs-twitter-bootstrap (Closes: #908431)
* No longer ships /var/lib/sympa/static_content (useless with Sympa
>= 6.2.32) (Closes: #904501)
* Various fixes related to javascript and css changes (switch to
foundation 6)
* Drop manpages patch (merged upstream)
Checksums-Sha1:
290b8e06ef4952091ad11083898b58ee32c8cf4d 2534 sympa_6.2.36~dfsg-1.dsc
64af7af858719f28215f9d16730e2ed8d749b7e1 10415088 sympa_6.2.36~dfsg.orig.tar.gz
6ee24dbb870dd9660327a232a45c2a9574faeeb8 165048 sympa_6.2.36~dfsg-1.debian.tar.xz
16f5a6148856f153d313d26d68dea030f3d75327 20172 sympa-dbgsym_6.2.36~dfsg-1_amd64.deb
6082f3822a67d7799147c9688e93b9a5faad5118 9170 sympa_6.2.36~dfsg-1_amd64.buildinfo
f954453b8e62ba971b7b90727dd45e4a9dd27e8b 2658096 sympa_6.2.36~dfsg-1_amd64.deb
Checksums-Sha256:
d6b4000478f47d9b656337e920626800e9710d5da3b79b10a96edf114890ccb4 2534 sympa_6.2.36~dfsg-1.dsc
139e440d28db591e907fbba11ad58c0fd717f9445efc76b6c200b46539ecd706 10415088 sympa_6.2.36~dfsg.orig.tar.gz
727e62fb1266dded7b7cc18f599e0f13016f560ac205542dc27f3743b701ed41 165048 sympa_6.2.36~dfsg-1.debian.tar.xz
1a491f8489ae4f4501991de58473ed347907b8814669ddd5381174afff94afc6 20172 sympa-dbgsym_6.2.36~dfsg-1_amd64.deb
9003a62207b5b4060f67035ac0f67f6bbc449b66ccd627b602a92686e3be84f1 9170 sympa_6.2.36~dfsg-1_amd64.buildinfo
e84a9b5472e237bf2b7b0f1da0f0ab29de1d4063f042496ca8f8d997e5721c1e 2658096 sympa_6.2.36~dfsg-1_amd64.deb
Files:
f696b2c8c9a23b83bc385dfff171e5af 2534 mail optional sympa_6.2.36~dfsg-1.dsc
d075991872279670be82c988563ff9a9 10415088 mail optional sympa_6.2.36~dfsg.orig.tar.gz
850dee8a98cb48bbae3faf11378b48f3 165048 mail optional sympa_6.2.36~dfsg-1.debian.tar.xz
672ab73efc88563c7689900f0e22e6e2 20172 debug optional sympa-dbgsym_6.2.36~dfsg-1_amd64.deb
f6c44a465750d3bbd714b95cf23e373c 9170 mail optional sympa_6.2.36~dfsg-1_amd64.buildinfo
3046c5a10f4a7ec4796145d2f2660435 2658096 mail optional sympa_6.2.36~dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQ1Tfow3vJnf8QuHSwd3I5KdQsMFAlutSXAACgkQSwd3I5Kd
QsNFhQ//bs+7cP4YdQ149fJgzoKd8wbgdS6uqjxPiwAgHaAbaARqztgyuQzaW7ea
L10s+mREAziRW4XwJ3M8k1TEUSx4EP1brR61ouf5O5H89ruyJrk5gwC5N6//KCfb
0c1nAgxOxHKNLXaxLIvoxI67vyz1IERPZSxNxeIB/K09esrZB473baO06zkI2fTb
u8nHWeuv7EirNVNMTa/yOzngGE4j+Y+u4LOH6mE2/oHrmeE2fKtRDRp6thqGXa/9
H+JTuiiNtwtbTXa6/n1w2LEeRKRHSZWcoHjGZmQ4qTQ9uFb69whYiUMYduTO3r4M
Y1ocArEx02efiPKGehmeu3RHXQWgN4WqO6UOJZ0BtWEGSnVVqQgR0QrDKAr7607e
0cjTd9b1a/X0T9FkZwG3WHjlzmLajWQ44qcKaqYXoZTpV5ci09qXNvLylB/rusl4
B+sD/i3exZCVKv6gQggYxUmV6UewQeRQXJADQEwiRKywQfQrsmc2ZBGV3c8AyQ++
NEVgIG0CTV/+EjYDqjBk5e+ObfHTHDx1v1JfgzxzYmUuo5e1ApGOha99yDjG/ogW
eoXlWmcKmFzKLhWDbkXYmqyUsReYS7uo4HEyMq8NpcvdlxfRlhLqfHGgsW2LWDNu
UiMcKiAnaQJyCW7y5GjPLKnmxH+FeASvP7Ag3O70jq2+WfoPR9o=
=AR3W
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 31 Oct 2018 07:29:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:03:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon