Debian Security Advisory
DLA-2441-1 sympa -- LTS security update
- Date Reported:
- 09 Nov 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 908165, Bug 972189.
In Mitre's CVE dictionary: CVE-2018-1000671, CVE-2020-26880.
- More information:
A privilege escalation was discovered in Sympa, a modern mailing list manager. It is fixed when Sympa is used in conjunction with common MTAs (such as Exim or Postfix) by disabling a setuid executable, although no fix is currently available for all environments (such as sendmail). Additionally, an open-redirect vulnerability was discovered and fixed.
Sympa allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.
Sympa contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The
refererparameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs.
For Debian 9 stretch, these problems have been fixed in version 6.2.16~dfsg-3+deb9u4.
We recommend that you upgrade your sympa packages.
For the detailed security status of sympa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sympa
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS