[Bug 246701] mail/sympa upgrade to 6.2.56
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun May 24 16:34:52 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246701
Bug ID: 246701
Summary: mail/sympa upgrade to 6.2.56
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: ports-bugs at FreeBSD.org
Reporter: wfdudley at gmail.com
CC: dgeo at centrale-marseille.fr
Flags: maintainer-feedback?(dgeo at centrale-marseille.fr)
CC: dgeo at centrale-marseille.fr
A vulnerability has been discovered in Sympa web interface by which attacker
can execute arbitrary code with root privileges.
Sympa uses two sorts of setuid wrappers:
FastCGI wrappers
newaliases wrapper
The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi)
were used to make the web interface running under privileges of a dedicated
user.
The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the
alias database with root privileges.
Since these setuid wrappers did not clear environment variables, if environment
variables like PERL5LIB were injected, forged code might be loaded and executed
under privileges of setuid-ed users.
More here: https://github.com/sympa-community/sympa/releases/tag/6.2.56
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list