Security advisories

This page references the security advisories regarding Sympa.

Possibility to bypass the authorization mechanisms in the archive management page.

All Sympa branches are affected.

• In branch 6.0, all versions prior to 6.0.7
• In branch 6.1, all versions prior to 6.1.11

Multiple vulnerabilities have been discovered in Sympa archive management that allow to skip the scenario-based authorization mechanisms.

This breach allows to:

• display the archives management page ('arc_manage');
• download the list's archives;
• delete the list's archives.

• branch 6.1 : upgrade to version 6.1.11
• branch 6.0 : upgrade to version 6.0.7

Users who can't upgrade to the latest versions have the following workaround solution: preventing, through web server configuration, to access the archive management,

Older versions are no longer maintained. Users of this version should upgrade to 6.1.11 or 6.0.7 to prevent potential attacks.

Sympa 6.0.7 and 6.1.11 released https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html

Sympa 6.1.11 released https://www.sympa.org/#sympa_6111_released