[Pkg-sympa-devel] Bug#672859: wwsympa.fcgi fails to check download/delete permissions properly
David Verdin
david.verdin at renater.fr
Mon May 14 11:13:55 UTC 2012
Hi, and thanks for reporting this problem to the Debian tracking system.
Upgrading the package to 6.0.7 will also fix the problem.
Cheers,
David
Le 14/05/12 11:15, George Kargiotakis a écrit :
> Package: sympa
> Version: 6.0.1+dfsg-4
> Severity: grave
>
> Sympa versions<6.1.11 have a severe security issue where any user can
> download or delete the archives of a mailing list if they know the name
> of the list.
>
> Debian has been tracking it at http://security-tracker.debian.org/tracker/CVE-2012-2352
>
> I'm attaching a patch (taken from upstream commit:
> https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&pathrev=7358 ) that fixes the problem
>
> -- System Information:
> Debian Release: 6.0.4
> APT prefers stable
> APT policy: (800, 'stable'), (650, 'testing'), (500, 'stable-updates')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
More information about the Pkg-sympa-devel
mailing list