Your message dated Thu, 22 Jan 2015 13:26:21 +0000 with message-id <20150122132621.GE29173@lupin.home.powdarrmonkey.net> and subject line Re: Bug#775790: unblock: sympa/6.1.23~dfsg-2 has caused the Debian Bug report #775790, regarding unblock: sympa/6.1.23~dfsg-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 775790: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775790 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: sympa/6.1.23~dfsg-2
- From: Emmanuel Bouthenot <kolter@debian.org>
- Date: Mon, 19 Jan 2015 23:11:43 +0100
- Message-id: <[🔎] 20150119221143.30065.83735.reportbug@gendo.asyd.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package sympa It contains 2 fixes: One for a RC bug about conffile handling: https://bugs.debian.org/774877 Another one about a vulnerability discovered recently in the web interface (wwsympa) which allows one to send himself by himself any readable file by the sympa user on the filesystem. debdiff is attached. Thanks, unblock sympa/6.1.23~dfsg-2 -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bashdiff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog --- sympa-6.1.23~dfsg/debian/changelog 2014-09-17 20:48:59.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/changelog 2015-01-16 02:48:24.000000000 +0100 @@ -1,3 +1,12 @@ +sympa (6.1.23~dfsg-2) unstable; urgency=medium + + * Fix a bug in /etc/sympa/facility conffile handling (Closes: #774877) + * Add a patch to fix a vulnerability in the web interface (wwsympa) + which allows one to send himself by email any readable file by the + sympa user on the filesystem. + + -- Emmanuel Bouthenot <kolter@debian.org> Fri, 16 Jan 2015 02:48:12 +0100 + sympa (6.1.23~dfsg-1) unstable; urgency=medium * New upstream release diff -Nru sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability --- sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 1970-01-01 01:00:00.000000000 +0100 +++ sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 2015-01-16 02:41:27.000000000 +0100 @@ -0,0 +1,29 @@ +Description: Fix a vulnerability in the web interface (wwsympa) + which allows one to send himself by email any readable file by the + sympa user on the filesystem +Author: David Verdin <david.verdin@renater.fr> +Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch +Applied-Upstream: 6.1.24 +Last-Update: 2015-01-16 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/wwsympa/wwsympa.fcgi.in ++++ b/wwsympa/wwsympa.fcgi.in +@@ -15758,9 +15758,14 @@ + $pages_url = $in{'url'}; + + # parse return the MIME::Lite part to send +- my $MIMEmail = $mailHTML->parse($pages_url); +- +- $in{'body'} = $MIMEmail->as_string; ++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']); ++ my $MIMEmail = eval { $mailHTML->parse($pages_url) }; ++ if ($MIMEmail) { ++ $in{'body'} = $MIMEmail->as_string; ++ } else { ++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'}); ++ return undef; ++ } + + }else{ + diff -Nru sympa-6.1.23~dfsg/debian/patches/series sympa-6.1.23~dfsg/debian/patches/series --- sympa-6.1.23~dfsg/debian/patches/series 2014-03-22 09:04:27.000000000 +0100 +++ sympa-6.1.23~dfsg/debian/patches/series 2015-01-16 02:32:49.000000000 +0100 @@ -1,3 +1,4 @@ +0001_fix_web_interface_vulnerability 1002_mysql_default_charset_engine.patch 1004_wizard_support_batch_and_display_mode.patch 1005_wizard_emit_cmd_and_newline_when_dying.patch diff -Nru sympa-6.1.23~dfsg/debian/sympa.preinst sympa-6.1.23~dfsg/debian/sympa.preinst --- sympa-6.1.23~dfsg/debian/sympa.preinst 2013-10-03 13:46:30.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/sympa.preinst 2015-01-16 02:09:47.000000000 +0100 @@ -36,6 +36,16 @@ done fi + +case "$1" in + install|upgrade) + if dpkg --compare-versions "$2" "<" "6.1.22~dfsg-1"; then + # delete sympa facility before managing it as a conffile (#774877) + rm -f /etc/sympa/facility + fi + ;; +esac + #DEBHELPER# exit 0
--- End Message ---
--- Begin Message ---
- To: Emmanuel Bouthenot <kolter@debian.org>, 775790-done@bugs.debian.org
- Subject: Re: Bug#775790: unblock: sympa/6.1.23~dfsg-2
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Thu, 22 Jan 2015 13:26:21 +0000
- Message-id: <20150122132621.GE29173@lupin.home.powdarrmonkey.net>
- In-reply-to: <[🔎] 20150119221143.30065.83735.reportbug@gendo.asyd.net>
- References: <[🔎] 20150119221143.30065.83735.reportbug@gendo.asyd.net>
On Mon, Jan 19, 2015 at 11:11:43PM +0100, Emmanuel Bouthenot wrote: > Please unblock package sympa > > unblock sympa/6.1.23~dfsg-2 Already unblocked by me on 16th January, reached testing yesterday. Please use grep-excuses or look at the PTS first. -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51Attachment: signature.asc
Description: Digital signature
--- End Message ---