[Pkg-sympa-devel] Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger
olivier.berger at it-sudparis.eu
Thu Dec 15 13:21:04 UTC 2011
On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote:
> Hi Olivier,
>
> On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
> > Package: sympa
> > Version: 5.3.4-6.1
> > Severity: normal
> >
> > Hi.
> >
> > I just upgraded one of my servers from etch to lenny and got :
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 37.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 37.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 77.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 77.
> > in the apache logs.
>
> This bug seems quite old, and I wonder if it's still valid? It doesn't
> seems to be reproducible with the latest versions of sympa.
>
> Do you experience it with sympa >= 6.x?
I've upgraded my system to squeeze and installed the sympa package from backports as it seems I heard you mention it somewhere ;)
I'm not sure, but I don't think so, for those errors above.
On the other hand, the problem with these warnings :
mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws
mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws
is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong....
I don't know if you want to take care about that backports version in this ticket.
Thanks in advance if you can ;)
Best regards,
--
Olivier BERGER
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
More information about the Pkg-sympa-devel
mailing list