Re: Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables

To: 972189@bugs.debian.org
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 6 Nov 2020 17:54:44 +0100
Message-id: <[🔎] 35ae72f4-8ddc-0df5-25ac-b081cf8ef2d1@beuc.net>
In-reply-to: <20201015113010.GB13601@layer-acht.org>
References: <160265536664.3242.6455977714945126980.reportbug@sympa.wycom.local> <a108805c-09a9-48a1-af8d-88cee9a55160@www.fastmail.com> <bd9da872-f04a-c575-4e58-50c56a9a1693@beuc.net> <20201015113010.GB13601@layer-acht.org>

Hi,

From what I understand the FCGI wrapper was used as CGI through e.g.fcgiwrap, and upstream recommended to switch to fcgi-spawn followinghttps://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html

Carsten agreed and suggested we add a note about this in the Debiandocumentation, so I plan to add a note in README.Debian or NEWS.Debian.

https://github.com/sympa-community/sympa/issues/1020#issuecomment-710763168

Given there were no other reports I believe this addresses the issue.

Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Prev by Date: Time to remove cacti from dla-needed?
Next by Date: Re: Time to remove cacti from dla-needed?
Previous by thread: Re: Time to remove cacti from dla-needed?
Next by thread: Re: Request for patch review (brotli)
Index(es):
- Date
- Thread