[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables

Hi,

Thank you both for notifying me.

For reasons stated in dla-needed.txt, and more importantly for reasons
mentioned internally (see elts-git or Holger), I can't dedicate more
time this month.

>From a quick look:

- the patch for older versions is the same besides the copyright notices.

- I'm not sure why the FCGI wrapper (which is daemonized and
multi-requests) would need to query its environment for REMOTE_ADDR
(which changes with each request and is normally sent to the FCGI daemon
through its socket), Carsten may need to provide additional details
and/or check https://github.com/sympa-community/sympa/issues/1020 for
work-arounds.

Cheers!
Sylvain
Reply to: