Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security_advisories [2015/01/13 17:29]
david.verdin@renater.fr
security_advisories [2018/04/12 09:54] (current)
ikeda@conversion.co.jp
Line 1: Line 1:
-====== Security advisories ======+====== ​× Security advisories ======
  
-This page references the security advisories regarding Sympa.+<note warning>​ 
 +For updated information,​ see:
  
-===== 2012-001 Security breaches in archives management =====+  * [[https://​sympa-community.github.io/​security/​index.html|New documentation site]]
  
 +</​note>​
  
-==== 1. Threat ==== 
- 
- 
-Possibility to bypass the authorization mechanisms in the archive management page. 
- 
- 
-==== 2. Systems Affected ==== 
- 
- 
-All Sympa branches are affected. 
- 
-  * In branch 6.0, all versions prior to 6.0.7 
-  * In branch 6.1, all versions prior to 6.1.11 
- 
-==== 3. Summary ==== 
- 
- 
-Multiple vulnerabilities have been discovered in Sympa archive management that allow to skip the scenario-based authorization mechanisms. 
- 
-This breach allows to: 
- 
-  * display the archives management page ('​arc_manage'​);​ 
-  * download the list's archives; 
-  * delete the list's archives. 
- 
-==== 4. Solution ==== 
- 
- 
-  * branch 6.1 : [[http://​www.sympa.org/​distribution/​sympa-6.1.11.tar.gz|upgrade to version 6.1.11]] 
-  * branch 6.0 : [[http://​www.sympa.org/​distribution/​sympa-6.0.7.tar.gz|upgrade to version 6.0.7]] 
- 
-Users who can't upgrade to the latest versions have the following workaround solution: preventing, through web server configuration,​ to access the archive management, ​ 
- 
-Older versions are no longer maintained. Users of this version should upgrade to 6.1.11 or 6.0.7 to prevent potential attacks. 
- 
-==== 5 - Links ==== 
- 
- 
-Sympa 6.0.7 and 6.1.11 released 
-[[https://​listes.renater.fr/​sympa/​arc/​sympa-announce/​2012-05/​msg00001.html]] 
- 
-Sympa 6.1.11 released 
-[[https://​www.sympa.org/#​sympa_6111_released]] 
- 
-===== 2015-001 Security breaches in newsletter posting ===== 
- 
- 
-==== 1. Threat ==== 
- 
- 
-Possibility to bypass the authorization mechanisms in the archive management page. 
- 
- 
-==== 2. Systems Affected ==== 
- 
- 
-All Sympa branches are affected. 
- 
-  * In branch 6.0, all versions prior to 6.0.10 
-  * In branch 6.1, all versions prior to 6.1.24 
- 
-==== 3. Summary ==== 
- 
- 
-A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. 
- 
-This breach allows to send to a list or a user a file located on the server filesystem through the Sympa web interface. 
- 
-==== 4. Solution ==== 
- 
- 
-  * branch 6.1 : [[http://​www.sympa.org/​distribution/​sympa-6.1.24.tar.gz|upgrade to version 6.1.24]] 
-  * branch 6.0 : [[http://​www.sympa.org/​distribution/​sympa-6.0.10.tar.gz|upgrade to version 6.0.10]] 
- 
-Users who can't upgrade to the latest versions have the following workaround solution: prevent mail sending through the web interface. 
- 
-  - copy </​home_sympa>/​default/​web_tt2/​compose_mail.tt2 to </​home_sympa>/​etc/​compose_mail.tt2 
-  - comment the content of this file in HTML : 
-    * add '<​html>&​lt;</​html>​!--'​ at the beginning of the file 
-    * add '​-->'​ at the end of the file. 
- 
-Older versions are no longer maintained. Users of this version should upgrade to 6.1.24 or 6.0.10 to prevent potential attacks. 
- 
-==== 5 - Links ==== 
- 
-No links yet. 
  • security_advisories.1421166586.txt.gz
  • Last modified: 2015/01/13 17:29
  • by david.verdin@renater.fr