Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
security_advisories [2015/02/06 12:31] david.verdin@renater.fr |
security_advisories [2018/04/12 09:54] (current) ikeda@conversion.co.jp |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security advisories ====== | + | ====== × Security advisories ====== |
- | This page references the security advisories regarding Sympa. | + | <note warning> |
+ | For updated information, see: | ||
- | ===== 2012-001 Security breaches in archives management ===== | + | * [[https://sympa-community.github.io/security/index.html|New documentation site]] |
+ | </note> | ||
- | ==== 1. Threat ==== | ||
- | |||
- | |||
- | Possibility to bypass the authorization mechanisms in the archive management page. | ||
- | |||
- | |||
- | ==== 2. Systems Affected ==== | ||
- | |||
- | |||
- | All Sympa branches are affected. | ||
- | |||
- | * In branch 6.0, all versions prior to 6.0.7 | ||
- | * In branch 6.1, all versions prior to 6.1.11 | ||
- | |||
- | ==== 3. Summary ==== | ||
- | |||
- | |||
- | Multiple vulnerabilities have been discovered in Sympa archive management that allow to skip the scenario-based authorization mechanisms. | ||
- | |||
- | This breach allows to: | ||
- | |||
- | * display the archives management page ('arc_manage'); | ||
- | * download the list's archives; | ||
- | * delete the list's archives. | ||
- | |||
- | ==== 4. Solution ==== | ||
- | |||
- | |||
- | * branch 6.1 : [[http://www.sympa.org/distribution/sympa-6.1.11.tar.gz|upgrade to version 6.1.11]] | ||
- | * branch 6.0 : [[http://www.sympa.org/distribution/sympa-6.0.7.tar.gz|upgrade to version 6.0.7]] | ||
- | |||
- | Users who can't upgrade to the latest versions have the following workaround solution: preventing, through web server configuration, to access the archive management, | ||
- | |||
- | Older versions are no longer maintained. Users of this version should upgrade to 6.1.11 or 6.0.7 to prevent potential attacks. | ||
- | |||
- | ==== 5 - Links ==== | ||
- | |||
- | |||
- | Sympa 6.0.7 and 6.1.11 released | ||
- | [[https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html]] | ||
- | |||
- | Sympa 6.1.11 released | ||
- | [[https://www.sympa.org/#sympa_6111_released]] | ||
- | |||
- | ===== 2015-001 Security breaches in newsletter posting (CVE-2015-1306) ===== | ||
- | |||
- | CVE number: CVE-2015-1306 | ||
- | |||
- | ==== 1. Threat ==== | ||
- | |||
- | |||
- | Possibility to access files on the server filesystem. | ||
- | |||
- | |||
- | ==== 2. Systems Affected ==== | ||
- | |||
- | |||
- | All Sympa branches are affected. | ||
- | |||
- | * In branch 6.0, all versions prior to 6.0.10 | ||
- | * In branch 6.1, all versions prior to 6.1.24 | ||
- | |||
- | ==== 3. Summary ==== | ||
- | |||
- | |||
- | A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. | ||
- | |||
- | This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area. | ||
- | |||
- | ==== 4. Solution ==== | ||
- | |||
- | |||
- | * branch 6.1 : [[http://www.sympa.org/distribution/sympa-6.1.24.tar.gz|upgrade to version 6.1.24]] | ||
- | * branch 6.0 : [[http://www.sympa.org/distribution/sympa-6.0.10.tar.gz|upgrade to version 6.0.10]] | ||
- | |||
- | Users who can't upgrade to the latest versions have the following workaround solution: prevent mail sending through the web interface. | ||
- | |||
- | - copy </home_sympa>/default/web_tt2/compose_mail.tt2 to </home_sympa>/etc/web_tt2/compose_mail.tt2 | ||
- | - Replace content of the file by an HTML fragment telling that posting through the web interface has been temporarily forbidden for security reasons. | ||
- | |||
- | Older versions are no longer maintained. Users of this version should upgrade to 6.1.24 or 6.0.10 to prevent potential attacks. | ||
- | |||
- | ==== 5 - Links ==== | ||
- | |||
- | * [[https://security-tracker.debian.org/tracker/CVE-2015-1306|CVE description on Debian web site]] | ||
- | * [[http://sympa-ja.org/download/rhel/|Sympa repository for RHEL - useful for upgrade on Redhat family OS]] | ||
- | * [[https://listes.renater.fr/sympa/arc/sympa-announce/2015-01/msg00001.html|Sympa 6.0.10 and 6.1.24 announce]] | ||
- | * [[https://www.sympa.org/#sympa_6010_and_6124_released|Release announce on the Sympa web site]] |