Re: Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi,
Thank you both for notifying me.
For reasons stated in dla-needed.txt, and more importantly for reasons
mentioned internally (see elts-git or Holger), I can't dedicate more
time this month.
>From a quick look:
- the patch for older versions is the same besides the copyright notices.
- I'm not sure why the FCGI wrapper (which is daemonized and
multi-requests) would need to query its environment for REMOTE_ADDR
(which changes with each request and is normally sent to the FCGI daemon
through its socket), Carsten may need to provide additional details
and/or check https://github.com/sympa-community/sympa/issues/1020 for
work-arounds.
Cheers!
Sylvain
Reply to: