Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4475
sympa security update
18 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sympa
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-29668
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running sympa check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2499-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
December 17, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : sympa
Version : 6.2.16~dfsg-3+deb9u5
CVE ID : CVE-2020-29668
Debian Bug : 976020
Sympa, a modern mailing list manager, grants full SOAP API access by
sending invalid string as the cookie value, if the SOAP endpoint was
enabled. An attacker could manipulate the mailing lists, including
subscribing e-mails or getting the list of subscribers.
For Debian 9 stretch, this problem has been fixed in version
6.2.16~dfsg-3+deb9u5.
We recommend that you upgrade your sympa packages.
For the detailed security status of sympa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sympa
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/bW4MACgkQj/HLbo2J
BZ/CnQf/e1ChPTSzJd6z9IecUvlAUR25AgjOTC0F5lj1NcaIeeibrF3JzPbxWhIE
tlJ/lF9Jg83koQSVqZ/DdKmEi0rIcG07ll8SnM4SCI8kDbI1u31nIOGCMPejLaM7
xwuEbMxkRp74jIAonp/Th9B7cgI+YiP8RbCkbn7PmYS6q2LWY9DJxUTO3NF6toRy
GJKLOC9D+vAcsxelEzPQpg4ZQHMaEtgv82FASw9TDzAC6xkBlnKFITmkV/s9nlfY
0ogoYsixq0bBf4dIsiXmi85TGhDuAAG5efyKIh3S1Hwgh52vpGaaIf5vmfd1I6tL
fG17yQ/oVrQMFH3vmzLn1XPceKqv7Q==
=5nsz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9v8puNLKJtyKPYoAQjA5A//cGmFdDdq3HnAPuMtuG+2N0SlUl41yrLJ
OuKj5BBxvPMcjxEqgf2ZmjQ9oZHZbJVqBfsyj2BFNC/n3cNvR3sLIQLhx39FOC8O
DArzqI+0JkiQzx/KxG27VQwPkc1Bg9f6RRn7WaU/j5On6ktrUaUdbrIrl4t/Ftsy
2T2761DNFsC8d8JSRweB18Q5Ea/9xupvqqlOL5UFu+28pzES2FHBcFSgc784Ed+X
DRJ+iQcs8K9q56QqOyY2yb6BRL5zJ05qf+UlTcytAhpzSIFBKUHniEDefdLq6SHf
ze+UlI2XYfZoA9PNPyR4mKnZfjfTxsqcl6aWuNu+AKDkMW4nH5jBTx8BtSwEKKdo
htFdyoeV3hTS2cBvUk4WWKj/nbgWqdr4qhXZU3nLrFOTsOqEbbl4JqQNE9hHh0IG
yRuUBcF/NatyFfL+Ooip77L3vqggzjk81nlPTw3AeigFMo/LmaarEbCvYQ7164oE
Cu0ZT9UTDcswGp8lFtWDn+qCD4sivQzSXU9JY/i+aASOn9K1lMzqZEPyQtIoa/g6
KrkZIfuGkbxo716alZOvO92aXI2oQw6uamQfCVkHZeMIUfEDWgrVJjXJe8V0mbv4
LSW2j6jVW8OzODEs+T+8wvno3r20fdDksqheXLYqhzdwIjSXCPs0M4GBcNE9GyRs
ZNK7LwBH3fI=
=sS/V
-----END PGP SIGNATURE-----