Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4475 sympa security update 18 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sympa Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-29668 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running sympa check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2499-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ December 17, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : sympa Version : 6.2.16~dfsg-3+deb9u5 CVE ID : CVE-2020-29668 Debian Bug : 976020 Sympa, a modern mailing list manager, grants full SOAP API access by sending invalid string as the cookie value, if the SOAP endpoint was enabled. An attacker could manipulate the mailing lists, including subscribing e-mails or getting the list of subscribers. For Debian 9 stretch, this problem has been fixed in version 6.2.16~dfsg-3+deb9u5. We recommend that you upgrade your sympa packages. For the detailed security status of sympa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sympa Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/bW4MACgkQj/HLbo2J BZ/CnQf/e1ChPTSzJd6z9IecUvlAUR25AgjOTC0F5lj1NcaIeeibrF3JzPbxWhIE tlJ/lF9Jg83koQSVqZ/DdKmEi0rIcG07ll8SnM4SCI8kDbI1u31nIOGCMPejLaM7 xwuEbMxkRp74jIAonp/Th9B7cgI+YiP8RbCkbn7PmYS6q2LWY9DJxUTO3NF6toRy GJKLOC9D+vAcsxelEzPQpg4ZQHMaEtgv82FASw9TDzAC6xkBlnKFITmkV/s9nlfY 0ogoYsixq0bBf4dIsiXmi85TGhDuAAG5efyKIh3S1Hwgh52vpGaaIf5vmfd1I6tL fG17yQ/oVrQMFH3vmzLn1XPceKqv7Q== =5nsz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9v8puNLKJtyKPYoAQjA5A//cGmFdDdq3HnAPuMtuG+2N0SlUl41yrLJ OuKj5BBxvPMcjxEqgf2ZmjQ9oZHZbJVqBfsyj2BFNC/n3cNvR3sLIQLhx39FOC8O DArzqI+0JkiQzx/KxG27VQwPkc1Bg9f6RRn7WaU/j5On6ktrUaUdbrIrl4t/Ftsy 2T2761DNFsC8d8JSRweB18Q5Ea/9xupvqqlOL5UFu+28pzES2FHBcFSgc784Ed+X DRJ+iQcs8K9q56QqOyY2yb6BRL5zJ05qf+UlTcytAhpzSIFBKUHniEDefdLq6SHf ze+UlI2XYfZoA9PNPyR4mKnZfjfTxsqcl6aWuNu+AKDkMW4nH5jBTx8BtSwEKKdo htFdyoeV3hTS2cBvUk4WWKj/nbgWqdr4qhXZU3nLrFOTsOqEbbl4JqQNE9hHh0IG yRuUBcF/NatyFfL+Ooip77L3vqggzjk81nlPTw3AeigFMo/LmaarEbCvYQ7164oE Cu0ZT9UTDcswGp8lFtWDn+qCD4sivQzSXU9JY/i+aASOn9K1lMzqZEPyQtIoa/g6 KrkZIfuGkbxo716alZOvO92aXI2oQw6uamQfCVkHZeMIUfEDWgrVJjXJe8V0mbv4 LSW2j6jVW8OzODEs+T+8wvno3r20fdDksqheXLYqhzdwIjSXCPs0M4GBcNE9GyRs ZNK7LwBH3fI= =sS/V -----END PGP SIGNATURE-----