On 10/14/20 8:02 AM, Carsten Aulbert wrote:
> Package: sympa
> Version: 6.2.16~dfsg-3+deb9u3
> Severity: important
> 
> Dear Maintainer(s),
> 
> since applying the security update from 6.2.16~dfsg-3+deb9u2 to
> 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling,
> i.e. the web server reports
> 
> 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr:
> "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se
> ssion.pm line 406.
> Use of uninitialized value $remote_addr in string ne at
> /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream,
> client: 192.16
> 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa
> HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host:
> "FQDN", referrer: "https://FQDN/sympa";
> 
> My configuration may be a bit "nasty" and may contribute here:
> 
> The external https access to sympa is TLS terminated by nginx acting as
> a reverse proxy which then sends the requests via a virtual bridge to
> the container where sympa is running.
> 
> After comparing the changes between u2 and u3 I fear this change here
> 
> char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
> [..]
> -    return execve(WWSYMPA,argv,envp);
> +    return execve(WWSYMPA, argv, myenvp);
> 
> to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'}
> not to be set and thus session handling will not work anymore.
> 
> Cheers
> 
> Carsten

Comment from upstream:

Anyways the patch assumes that CGI mode has been deprecated. It is incompatible 
with CGI mode supported by earlier
version of Sympa.

https://github.com/sympa-community/sympa/issues/1020#issuecomment-708223858

Regards
        Racke

> 
> -- System Information:
> Debian Release: 9.13
>   APT prefers oldstable
>   APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages sympa depends on:
> ii  adduser                           3.115
> ii  ca-certificates                   20200601~deb9u1
> ii  dbconfig-common                   2.0.8
> ii  debconf [debconf-2.0]             1.5.61
> ii  fonts-font-awesome                4.7.0~dfsg-1
> ii  init-system-helpers               1.48
> ii  libarchive-zip-perl               1.59-1+deb9u1
> ii  libc6                             2.24-11+deb9u4
> ii  libcgi-fast-perl                  1:2.12-1
> ii  libcgi-pm-perl                    4.35-1
> ii  libclass-singleton-perl           1.5-1
> ii  libcrypt-openssl-x509-perl        1.8.7-3
> ii  libcrypt-smime-perl               0.19-2
> ii  libdatetime-format-mail-perl      0.4030-1
> ii  libdbd-csv-perl                   0.4900-1
> ii  libdbd-mysql-perl                 4.041-2
> ii  libdbd-pg-perl                    3.5.3-1+b2
> ii  libdbd-sqlite3-perl               1.54-1
> ii  libdbi-perl                       1.636-1+deb9u1
> ii  libfcgi-perl                      0.78-2
> ii  libfile-copy-recursive-perl       0.38-1
> ii  libfile-nfslock-perl              1.27-1
> ii  libhtml-format-perl               2.12-1
> ii  libhtml-stripscripts-parser-perl  1.03-1
> ii  libhtml-tree-perl                 5.03-2
> ii  libintl-perl                      1.26-2
> ii  libio-stringy-perl                2.111-2
> ii  libjs-jquery                      3.1.1-2+deb9u1
> ii  libjs-jquery-migrate-1            1.4.1-1
> ii  libjs-jquery-placeholder          2.3.1-2
> ii  libjs-jquery-ui                   1.12.1+dfsg-4
> ii  libjs-modernizr                   2.6.2+ds1-1
> ii  libjs-twitter-bootstrap           2.0.2+dfsg-10
> ii  libmail-dkim-perl                 0.40-1
> ii  libmailtools-perl                 2.18-1
> ii  libmime-charset-perl              1.012-2
> ii  libmime-encwords-perl             1.014.3-2
> ii  libmime-lite-html-perl            1.24-2
> ii  libmime-tools-perl                5.508-1
> ii  libmsgcat-perl                    1.03-6+b3
> ii  libnet-cidr-perl                  0.18-1
> ii  libnet-dns-perl                   1.07-1
> ii  libnet-ldap-perl                  1:0.6500+dfsg-1
> ii  libnet-netmask-perl               1.9022-1
> ii  libregexp-common-perl             2016060801-1
> ii  libsoap-lite-perl                 1.20-1
> ii  libtemplate-perl                  2.24-1.2+b3
> ii  libterm-progressbar-perl          2.18-1
> ii  libunicode-linebreak-perl         0.0.20160702-1+b1
> ii  libxml-libxml-perl                2.0128+dfsg-1+deb9u1
> ii  lsb-base                          9.20161125
> ii  mhonarc                           2.6.19-2
> ii  perl                              5.24.1-3+deb9u7
> ii  postfix [mail-transport-agent]    3.1.15-0+deb9u1
> ii  rsyslog [system-log-daemon]       8.24.0-1
> ii  sqlite3                           3.16.2-5+deb9u2
> 
> Versions of packages sympa recommends:
> pn  apache2-suexec                     <none>
> pn  default-mysql-server | postgresql  <none>
> pn  doc-base                           <none>
> pn  libapache2-mod-fcgid               <none>
> pn  libcrypt-ciphersaber-perl          <none>
> ii  libio-socket-ssl-perl              2.044-1
> ii  locales                            2.24-11+deb9u4
> ii  logrotate                          3.11.0-0.1
> 
> Versions of packages sympa suggests:
> pn  libauthcas-perl          <none>
> pn  libdbd-odbc-perl         <none>
> pn  libdbd-oracle-perl       <none>
> ii  nginx-light [httpd-cgi]  1.10.3-1+deb9u5
> 
> -- debconf information excluded
> 


-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to