[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 2441-1] sympa security update

Hi Antoine,

On 09/11/2020 16:48, Antoine Beaupré wrote:
On 2020-11-09 14:04:02, Sylvain Beucler wrote:
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2441-1                debian-lts@lists.debian.org
November 09, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sympa
Version        : 6.2.16~dfsg-3+deb9u4
CVE ID         : CVE-2018-1000671 CVE-2020-26880
Debian Bug     : 908165 972189

What's up with those bug reports? #908165 refers to CVE-2018-1000671 but
#972189 refers to CVE-2020-10936, not CVE-2020-26880.

This upload indeed addresses #972189 which, as documented in my concluding message to that bug, and in the package changelog, involves adding a bit of documentation related to CVE-2020-10936 (fixed in the previous upload).

Also, CVE-2020-26880 is marked as unfixed in the security tracker (and
the upstream bugtracker), but not CVE-2020-10936...

Which one is which? Is the sympa package in Debian LTS still vulnerable
to privilege escalation?

The rest of the advisory explains this:

: A privilege escalation was discovered in Sympa, a modern mailing list
: manager. It is fixed when Sympa is used in conjunction with common
: MTAs (such as Exim or Postfix) by disabling a setuid executable,
: although no fix is currently available for all environments (such as
: sendmail).

The security tracker's status is set accordingly:
[stretch] - sympa <postponed> (Mitigated, revisit when fixed upstream)

For further context, according to my exchanges with upstream, little manpower is available to fully fix current security issues, so it is unlikely we'll get a complete fix in the coming months/year. Meanwhile, this upload allows fixing CVE-2020-26880 in 90% of case (that is, basically all MTA setups besides plain sendmail).

Let me know if something needs to be clarified and how.


Reply to: