Debian Security Advisory

DLA-2441-1 sympa -- LTS security update

Date Reported:
09 Nov 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 908165, Bug 972189.
In Mitre's CVE dictionary: CVE-2018-1000671, CVE-2020-26880.
More information:

A privilege escalation was discovered in Sympa, a modern mailing list manager. It is fixed when Sympa is used in conjunction with common MTAs (such as Exim or Postfix) by disabling a setuid executable, although no fix is currently available for all environments (such as sendmail). Additionally, an open-redirect vulnerability was discovered and fixed.

  • CVE-2020-26880

    Sympa allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

  • CVE-2018-1000671

    Sympa contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The referer parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs.

For Debian 9 stretch, these problems have been fixed in version 6.2.16~dfsg-3+deb9u4.

We recommend that you upgrade your sympa packages.

For the detailed security status of sympa please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: