[Pkg-sympa-devel] Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
David Verdin
david.verdin at renater.fr
Thu Jan 5 16:39:47 UTC 2012
Dear all,
This problem showed up recently and was fixed upstream:
https://sourcesup.cru.fr/scm/viewvc.php?view=revision&root=sympa&revision=7215
I'm not sure whether this patch was already included in a new stable
version but I'll tag the 6.1.8 pretty soon, so you will be able to add
it to the Debian package.
Cheers,
David
Le 15/12/11 14:21, Olivier Berger a écrit :
> On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote:
>> Hi Olivier,
>>
>> On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
>>> Package: sympa
>>> Version: 5.3.4-6.1
>>> Severity: normal
>>>
>>> Hi.
>>>
>>> I just upgraded one of my servers from etch to lenny and got :
>>> [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,<IN> line 37.
>>> [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,<IN> line 37.
>>> [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,<IN> line 77.
>>> [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,<IN> line 77.
>>> in the apache logs.
>> This bug seems quite old, and I wonder if it's still valid? It doesn't
>> seems to be reproducible with the latest versions of sympa.
>>
>> Do you experience it with sympa>= 6.x?
> I've upgraded my system to squeeze and installed the sympa package from backports as it seems I heard you mention it somewhere ;)
>
> I'm not sure, but I don't think so, for those errors above.
>
> On the other hand, the problem with these warnings :
> mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws
> mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws
> is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
>
> It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong....
>
> I don't know if you want to take care about that backports version in this ticket.
>
> Thanks in advance if you can ;)
>
> Best regards,
>
More information about the Pkg-sympa-devel
mailing list