Hi.
I've prepared an update for the oldstable-security from upstream commits. abhijith.
diff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog --- sympa-6.1.23~dfsg/debian/changelog 2018-07-24 21:14:39.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/changelog 2018-09-19 19:15:20.000000000 +0200 @@ -1,3 +1,10 @@ +sympa (6.1.23~dfsg-2+deb8u3) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Security Team. + * Fix CVE-2018-1000671: Open redirection vulnerability (Closes: #908165) + + -- Abhijith PA <abhij...@disroot.org> Wed, 19 Sep 2018 22:45:20 +0530 + sympa (6.1.23~dfsg-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch --- sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch 1970-01-01 01:00:00.000000000 +0100 +++ sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch 2018-09-19 19:15:20.000000000 +0200 @@ -0,0 +1,95 @@ +Description: CVE-2018-1000671 + URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The + "referer" parameter of the wwsympa.fcgi login action. that can result in Open + redirection and reflected XSS via data URIs. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1 + https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325 +Bug: https://github.com/sympa-community/sympa/issues/268 +Bug-Debian: https://bugs.debian.org/908165 +Last-Update: 2018-09-19 + +--- sympa-6.1.23~dfsg.orig/wwsympa/wwsympa.fcgi.in ++++ sympa-6.1.23~dfsg/wwsympa/wwsympa.fcgi.in +@@ -3029,8 +3029,9 @@ sub do_ticket { + my $user; + my $next_action; + +- if ($in{'referer'}) { +- $param->{'redirect_to'} = &tools::unescape_chars($in{'referer'}); ++ my $url_redirect; ++ if ($url_redirect = _clean_referer($in{'referer'})) { ++ $param->{'redirect_to'} = $url_redirect; + }elsif ($in{'previous_action'} && + $in{'previous_action'} !~ /^(login|logout|loginrequest)$/) { + $next_action = $in{'previous_action'}; +@@ -3076,8 +3077,8 @@ sub do_ticket { + if($url_redirect = &is_ldap_user($in{'email'})){ + $param->{'redirect_to'} = $url_redirect + if ($url_redirect && ($url_redirect != 1)); +- }elsif ($in{'failure_referer'}) { +- $param->{'redirect_to'} = $in{'failure_referer'}; ++ } elsif ($url_redirect = _clean_referer($in{'failure_referer'})) { ++ $param->{'redirect_to'} = $url_redirect; + }else{ + $in{'init_email'} = $in{'email'}; + $param->{'init_email'} = $in{'email'}; +@@ -3118,12 +3119,14 @@ sub do_ticket { + }else{ + $param->{'login_error'} = 'wrong_password'; + } ++ ++ my $url_redirect; + if ($in{'previous_action'}) { + delete $in{'passwd'}; + $in{'list'} = $in{'previous_list'}; + return $in{'previous_action'}; +- }elsif ($in{'failure_referer'}) { +- $param->{'redirect_to'} = $in{'failure_referer'}; ++ } elsif ($url_redirect = _clean_referer($in{'failure_referer'})) { ++ $param->{'redirect_to'} = $url_redirect; + }else { + return 'renewpasswd'; + } +@@ -3204,6 +3207,29 @@ sub do_ticket { + + } + ++sub _clean_referer { ++ my $referer = shift; ++ ++ return undef ++ unless $referer and $referer =~ m{\Ahttps?://}i; ++ ++ # Allow referer within scope of cookie domain. ++ my $host = lc(URI->new($referer)->host); ++ my $mydom = lc($param->{'cookie_domain'} || 'localhost'); ++ if ($mydom eq 'localhost') { ++ my $myhost = Sympa::WWW::Tools::get_http_host() || ''; ++ $myhost =~ s/:\d+\z//; ++ return undef ++ unless $host eq $myhost; ++ } else { ++ $mydom =~ s/\A(?![.])/./; ++ return undef ++ unless substr($host, -length $mydom) eq $mydom ++ or ".$host" eq $mydom; ++ } ++ return $referer; ++} ++ + ## Login WWSympa + ## The sso_login action is made of 4 subactions that make a complete workflow. + ## Note that this comlexe workflow is only used if the SSO server does not provide +@@ -17002,7 +17028,9 @@ sub new_d_read { + ### File or directory ? + if ($document->{'type'} eq 'url') { + $param->{'file_extension'} = $document->{'file_extension'}; +- $param->{'redirect_to'} = $document->{'url'}; ++ $param->{'redirect_to'} = $document->{'url'} ++ if $document->{'url'} ++ and $document->{'url'} =~ m{\Ahttps?://}i; + return 1; + + }elsif ($document->{'type'} eq 'file') { diff -Nru sympa-6.1.23~dfsg/debian/patches/series sympa-6.1.23~dfsg/debian/patches/series --- sympa-6.1.23~dfsg/debian/patches/series 2018-07-24 21:14:39.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/patches/series 2018-09-19 19:15:20.000000000 +0200 @@ -9,3 +9,4 @@ 2001_ca_bundle_check_as_warning.patch 2006_disable_cssupdated_email_on_update.patch CVE-2018-1000550.patch +CVE-2018-1000671.patch