Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2640 sympa security update 6 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sympa Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Modify Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1000550 Reference: ESB-2018.2148 Original Bulletin: http://www.debian.org/security/2018/dsa-4285 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4285-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 05, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : sympa CVE ID : CVE-2018-1000550 Michael Kaczmarczik discovered a vulnerability in the web interface template editing function of Sympa, a mailing list manager. Owner and listmasters could use this flaw to create or modify arbitrary files in the server with privileges of sympa user or owner view list config files even if edit_list.conf prohibits it. For the stable distribution (stretch), this problem has been fixed in version 6.2.16~dfsg-3+deb9u1. We recommend that you upgrade your sympa packages. For the detailed security status of sympa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sympa Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluQLrtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T/ow/+Piml6kbT2V/uwN88inH8NzNnjDQNj0HSVOAUyA0b9XdVfd6PhSDZgVm8 wi45hG9S0B8LduMCPP78sqdsDi/Wstrgr8oaLZyszF0eEFGeMJpyhQ8byacC2BjX U2VOZuOUVcE1A9IzubpYSDU9A3cZDGEayxQhUGkOG71QIOF1eTWHE4MGu3aT5ck2 3/NjGJgUwsf+a86php6PqzsqibKkKLj3uez4wQSAdM5rlkn8C8rEdgAtLAhScrSs DKHUtZ0fiKXzt6G4X9uYAfhnVECcGBBtaiyuo76VgYEgMQghrAhVtPIdE8Be867t 4n2Nx8qJE/Fggm8UlDnzc3U/dyY/xLmiJmfn63dI0QvibcsxYB+SbRgO4+WpOD3H 8+iZyAQdX6/msuDkX640ehg8qHH6cVp7b2v2KS3F/yFvFiKr3Lw729TPB5gHheOd b8MwDXNIC7Oi0lc2gXV5LxzVORxFmakaQmf83KK1ySREa82qC1W7MaSqHz7sDCyd 2Tf3e79d8ekXowWOD1mxUESiHCrE8LCDs7B7SfULOu8OI6CQ/Gq1jJNuUsQwTXkh ZyHB3HnuEldlCrFXLVsDvozbGYX1gxlIB2+DHlD3RxnCMrZMPD5Ij1NUmQXdJP2P btnBI0nxBwvS9Pa16FTmbIrS+LctZhHl/GAgJVIsSIVjuInTmaU= =SpYh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW5Bty2aOgq3Tt24GAQgh2Q//a28N4pU9n4Qmlz04LtA48w8HkWP+Gen2 9NY7n+GVZ/eF4sdyuwCNnZjL3SLEUGt6MRDnrRJgdBcg2bpA9Ua8JtZ/+kxvigBR lM9SZ/z8Z1ASj7qi+ln3jHVk8+8oAWE2YzM+b2cBUqeyUneb7OXH9II0UBrlnk59 Mxff+WEX5pzZY6aGUdOZ1fxdAYFvuWseaBeYv2hV07NEkqnQM8iDSr0mRJZcMU5F kxbwTO8/ZLcQ5crQBqTNbfQwZ4Rme8/fd8z21z2M2Y7r3w0Mljk8NZwS+NVk3YZ5 MaDQt0/wOQVzMbJLl1m0JflMPE2SXmitoFT3t0fz1YOoRENaWVVZgy9Dd2WDPfCp ZSf+tJ4EzuouHqVHVER/WJOPxKKrdCfagMtM/rAe8CN5GcAgMgg3GY7Cw6qF6iyz Xo5vnUIoWzGRgFApD4ya+1YUlC2LAVyPuSmhR0MY6Zr17tsm3AOknujL9I2KlAPi WVz8ECoAA1F2EaiFD8cnBzGlFCoLQHYcYYKxwrZCwBJ/WiyBIG8iy6EzxnZT+iX9 I+UkimosyfQLl/Kqb2Xy3AIbXZ9xLI+2Q6wod9FEamZGoJJx8VIgELp9pl8mFWoS y1ZXw1DmS0Bv8a/9t/1nVvhNSlaKc0C3YnDyDJp7XqxzvLqPM3l5vUpwZFx9d1Qn 269QlDQfBY8= =lvju -----END PGP SIGNATURE-----