Bug#978932: sympa: webinterface broken after installing 6.2.40~dfsg-1+deb10u1

Sylvain Beucler Sat, 02 Jan 2021 09:09:16 -0800

Hi,

This looks like a duplicate of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189#45

In the buster version though, CGI mode (which fcgiwrap emulates) wasremoved from Sympa hence why I didn't add the same NEWS note as instretch. It looks like this was still working somehow.


For the record here is the NEWS note:

    The fix for the CVE-2020-10936 security issue forced us to drop CGI
    mode for wwsympa earlier than officially (6.2.24).

    In particular, users of nginx+fcgiwrap are invited to switch to
    nginx+spawn-fcgi:

https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html

    See also:
    https://bugs.debian.org/972189
    https://github.com/sympa-community/sympa/issues/1020

Cheers!
Sylvain

On 31/12/2020 17:41, Tobias Frost wrote:

Package: sympa
Version: 6.2.40~dfsg-1+deb10u1
Severity: important

Dear Maintainer,

After installation of the security update the web isterface is defunct.
It still loads the "default" site (here: https://$DOMAIN/wws/) but that also
the site that will be loaded when selecting an menue entry, for example "Login".
(IOW, Login not possible as the login form is not presented)

Downgrading to 6.2.40~dfsg-1 makes it work again.

Webserver is an nginx instance.

The only hint I got (could be a red herring) is this in the nginx error log,
the sympa log is silent…

Heres a example of the  nginx one:
(There are many of those…)

2020/12/27 12:13:57 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun 
Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value in string ne at 
/usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M
[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value $remote_addr in string ne at 
/usr/share/sympa/lib/Sympa/WWW/Session.pm line 408" while reading upstream, client: 80.209.204.233, server: 
lists.regensburg-repariert.de, request: "GET /wws/reviewbouncing/info HTTP/2.0", upstream: 
"fastcgi://unix:/run/fcgiwrap.socket:", host: "lists.regensburg-repariert.de"
2020/12/27 12:14:21 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun 
Dec 27 12:14:21 2020] wwsympa.fcgi: Use of uninitialized value in string ne at 
/usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M

(Those started exactly on Dec 24, after unattende-upgrades pulled in the 
security update)

Let me know if I can provide more information…

Cheers,

Bug#978932: sympa: webinterface broken after installing 6.2.40~dfsg-1+deb10u1

Reply via email to