Debian Bug report logs -
#971904
sympa: restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (CVE-2020-26932)
Reported by: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 9 Oct 2020 12:45:01 UTC
Severity: normal
Tags: patch, security
Found in versions sympa/6.2.40~dfsg-6, sympa/6.2.40~dfsg-1
Fixed in version sympa/6.2.40~dfsg-7
Done: Stefan Hornburg (Racke) <racke@linuxia.de>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <sympa@packages.debian.org>:
Bug#971904; Package src:sympa.
(Fri, 09 Oct 2020 12:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>:
New Bug report received and forwarded. Copy sent to Debian Sympa team <sympa@packages.debian.org>.
(Fri, 09 Oct 2020 12:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sympa
Tags: patch
Cross-referencing
https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
Cheers!
Sylvain Beucler
Debian LTS Team
Reply sent
to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility.
(Sat, 10 Oct 2020 04:51:03 GMT) (full text, mbox, link).
Notification sent
to Sylvain Beucler <beuc@beuc.net>:
Bug acknowledged by developer.
(Sat, 10 Oct 2020 04:51:03 GMT) (full text, mbox, link).
Message #10 received at 971904-close@bugs.debian.org (full text, mbox, reply):
Source: sympa
Source-Version: 6.2.40~dfsg-7
Done: Stefan Hornburg (Racke) <racke@linuxia.de>
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 971904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Oct 2020 06:03:11 +0200
Source: sympa
Architecture: source
Version: 6.2.40~dfsg-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Sympa team <sympa@packages.debian.org>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Closes: 971904
Changes:
sympa (6.2.40~dfsg-7) unstable; urgency=medium
.
[ Sylvain Beucler ]
* Restrict access to sympa_newaliases-wrapper (setuid root) to group
sympa (Closes: #971904).
Checksums-Sha1:
515beea6fea28573df58b7c4e57b85f843229bf9 2499 sympa_6.2.40~dfsg-7.dsc
fba2c72e8aa7b4052ec3746305ab017fbbc05ac2 166832 sympa_6.2.40~dfsg-7.debian.tar.xz
41c0987f3b5ee693250c75c4ca2a7dd5d9e75c82 14529 sympa_6.2.40~dfsg-7_amd64.buildinfo
Checksums-Sha256:
34a713834de5d5e201df790ca7bc2d1b8eb6447c22e805a39ff53d2a31f6caf6 2499 sympa_6.2.40~dfsg-7.dsc
3bc8347326123eb40a842682e57761e75140beaf47a1a2c65c1bbb86bd50f459 166832 sympa_6.2.40~dfsg-7.debian.tar.xz
6a2c57f8f18e37bec674846eba2f7f758eb8b7a1da8c50e46d6035af8878a870 14529 sympa_6.2.40~dfsg-7_amd64.buildinfo
Files:
284a1689acf66c54b8aa391a382b6410 2499 mail optional sympa_6.2.40~dfsg-7.dsc
72b75aff35c406f8845548e0de085208 166832 mail optional sympa_6.2.40~dfsg-7.debian.tar.xz
c397c0c349e07fc49d7cc755880bffd4 14529 mail optional sympa_6.2.40~dfsg-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl+BNKwRHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPhkng//S5EuqiP8Acts+r5fOo7Fn32yMsju2wE9
OyczM/BN5ri7Icn3e19OcZ3BpiqHIfsaQIzEL4U/tKQg3vGyD84vgPda3Sro2T57
oNt3gVgSsArx0vBD99gnColYOBfmHl4BVQ4a0D8bshuXEygoqmbv7lnr6BOzRHjs
hAeh4EfixFoBll+vGbuMGu94c9jjyoGzoK0fNkd5UpcfrNWu+mLRO0YFTTxZ9ayT
mrtQ7ZCpRiLV1Jqx3YkDDJRyLML/kCxvFYhIOfSEoanqzO+EV1tWAIkLo8QNvldi
H+WA6wPVzRrk51+61mi21XAVUvu/Cd4UtAJO/swbJQok3k21Z8zUU8ZX/D9TwN50
Yy1udOt+KcWaKhEmqcMEs0+ITLsY7yfuRtVHvUuRCEAutaZV2J5sZw74O9P3BF1i
Lo4HmyuI5Dwc/r+OEQ/5XiAM7JNF7iFSgnh9RaFJhzYHiCztNAhV1muHW9qcFoxO
SKYE5s2g1953s8qsdW08M4J+IrYXGj8zDZhKVI1vpnOTdQPA0qSaSKrFyFgHnJUe
uZonMUpaDccIFLEzDHot1xjZh404OTBMiGXxDr8pt8M4N60n4EaQFcrbuT/nUOiI
mJLUfTJSY0UjB7tL/H5MSeWyC5zJURIjd4d7j0JPGlTRIIYtO4ZX0RO6mXJWEK/O
+G6Pw4GDes4=
=T8/O
-----END PGP SIGNATURE-----
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2020 08:42:03 GMT) (full text, mbox, link).
Changed Bug title to 'sympa: restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (CVE-2020-26932)' from 'sympa: restrict access to sympa_newaliases-wrapper (setuid root) to group sympa'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2020 18:33:02 GMT) (full text, mbox, link).
Marked as found in versions sympa/6.2.40~dfsg-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2020 18:33:04 GMT) (full text, mbox, link).
Marked as found in versions sympa/6.2.40~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Oct 2020 18:33:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 11 10:26:11 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon