Your message dated Tue, 25 Feb 2020 18:50:26 +0000 with message-id <e1j6fhm-0006lq...@fasolo.debian.org> and subject line Bug#952428: fixed in sympa 6.2.40~dfsg-4 has caused the Debian Bug report #952428, regarding sympa: CVE-2020-9369: Security flaws in CSRF prevention to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 952428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: sympa severity: critical version: 6.2.40~dfsg-3 tags: patch A vulnerability has been discovered in Sympa web interface that can cause denial of service (DoS) attack. By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate excessive notification messages to listmasters. Full advisory: https://sympa-community.github.io/security/2020-001.html Regards Racke -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.From 9b86fb3f0337d70221d63392db7d1a52b439dc8f Mon Sep 17 00:00:00 2001 From: IKEDA Soji <ik...@conversion.co.jp> Date: Tue, 11 Feb 2020 17:52:22 +0900 Subject: [PATCH] Sympa SA 2020-001 (candidate). Denial of service caused by malformed CSRF token. --- src/cgi/wwsympa.fcgi.in | 25 +++---------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in index 2eb8aec..c7b5195 100644 --- a/src/cgi/wwsympa.fcgi.in +++ b/src/cgi/wwsympa.fcgi.in @@ -992,9 +992,6 @@ our %in_regexp = ( # Role 'role' => 'member|editor|owner', - - ## CSRF token is a lower case MD5 hash - 'csrftoken' => '^[0-9a-f]{32}$', ); ## Regexp applied on incoming parameters (%in) @@ -1262,8 +1259,6 @@ while ($query = CGI::Fast->new) { # affected to another anonymous session. undef $ENV{'HTTP_COOKIE'}; unless (defined $session) { - Sympa::send_notify_to_listmaster($robot, - 'failed_to_create_web_session', {}); wwslog('info', 'Failed to create session'); $session = Sympa::WWW::Session->new($robot, {}); } @@ -2149,32 +2144,18 @@ sub get_parameters { if ($one_p !~ /^$regexp$/s || (defined $negative_regexp && $one_p =~ /$negative_regexp/s) ) { - ## Dump parameters in a tmp file for later analysis - my $dump_file = - Conf::get_robot_conf($robot, 'tmpdir') - . '/sympa_dump.' - . time . '.' - . $PID; - unless (open DUMP, ">$dump_file") { - wwslog('err', 'Failed to create %s: %s', - $dump_file, $ERRNO); - } - Sympa::Tools::Data::dump_var(\%in, 0, \*DUMP); - close DUMP; - Sympa::WWW::Report::reject_report_web('user', 'syntax_errors', {p_name => $p}, '', ''); wwslog( 'err', - 'Syntax error for parameter %s value "%s" not conform to regexp:%s; dumped vars in %s', + 'Syntax error for parameter %s value "%s" not conform to regexp:%s', $pname, $one_p, - $regexp, - $dump_file + $regexp ); $in{$p} = ''; - next; + last; } } } -- 1.8.3.1signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: sympa Source-Version: 6.2.40~dfsg-4 Done: Stefan Hornburg (Racke) <ra...@linuxia.de> We believe that the bug you reported is fixed in the latest version of sympa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 952...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Hornburg (Racke) <ra...@linuxia.de> (supplier of updated sympa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 25 Feb 2020 19:22:52 +0100 Source: sympa Architecture: source Version: 6.2.40~dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian Sympa team <sy...@packages.debian.org> Changed-By: Stefan Hornburg (Racke) <ra...@linuxia.de> Closes: 952428 Changes: sympa (6.2.40~dfsg-4) unstable; urgency=medium . * Apply patch to fix Sympa web interface vulnerability: CVE-2020-9369 (Closes: #952428). This prevents creation of temporary files and email notifications to listmasters when encountering malformed input parameters. Checksums-Sha1: 011f52aab1853e7c75265eee3ec63773d9621044 2531 sympa_6.2.40~dfsg-4.dsc 50e63655bd87832351a4eda867f9a94f5b488fb6 166076 sympa_6.2.40~dfsg-4.debian.tar.xz 70de373c11a04859059b53b97ea10c4afd1cbb42 14357 sympa_6.2.40~dfsg-4_amd64.buildinfo Checksums-Sha256: 31fca930776b318af22b445fa1a682d63f131f64bc0d073aa11db012ad3d2837 2531 sympa_6.2.40~dfsg-4.dsc 8f3ef0fbf36b7beda4cf511cd33ddd6506857f6c4d3735e1d1f1d3d06f8e8364 166076 sympa_6.2.40~dfsg-4.debian.tar.xz 1c616b2d2e742fcc260ca65d04f06fe90b02ed7ec3c2d060808369042174a6be 14357 sympa_6.2.40~dfsg-4_amd64.buildinfo Files: c310084657d4d4a6cd601a9bce8794e1 2531 mail optional sympa_6.2.40~dfsg-4.dsc de652b3f3c90e4708fcb1a217070b5f0 166076 mail optional sympa_6.2.40~dfsg-4.debian.tar.xz c2092e4a581330ef6ecaeee319154e4a 14357 mail optional sympa_6.2.40~dfsg-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl5VZ78RHHJhY2tlQGxp bnV4aWEuZGUACgkQW5MBW/onIPhXBA//UVTVKeItpoplzR+m3kfvqOl8CXQ0o57F iqyYWgDs2sQKfvBZ6b+ViQCsGOuF/a+iPHt4yVTCPjG7a4lNLIFddsq7nrnMwzET 8GyuVGitUv8BaPV/zlFqzholi2Lt3DCPzhKg5PAdjF0zw9RYFAU8Ka/FeRQwAPdA zYa9qXLGVyAXQ8cwuk/fwUMH+B0FfZnKDvKUBauanbw29vMTt4pdJ91r99blQCUo RrXHhltF1pGz/LFox84oQZy6sQLx2zGbXKDGvbrtR1ODzy3jLfKrDjQvGFx4WFL+ +Jmbw8ecy7iAXNkvKYHjwbHrMcwX4nXXUucS83RFqm1sNqhtUJeW027ukQ2Zf9FT KHwzak6HStjF5TVnHiYxqsZ8C7K15358RhBG8YfbU+YfKeWBPiZYyYUaEvK4EvWC QjF134LXwdoXWjrdVNGnokCkzVOEGKmJmTE297fybbP99bZdU6qJnC7x85KlqT46 c1JmD0GHIFvf86MILmG/8ErSDFAlSXt4xCYFn43izDN0RMnsN93PLs3clahRxRo8 9dDdnrVjbyAksoXOfrIkpae4m0nK1nf5HkcooRsj+OmuYwCcKkXrToRh+X++tj+w WFg3Rs1cVOfp+tjxw5RzdSnwh3gPFM4oDWoZyun8uPfLe49fv/emOgYKsyc5ysDc xdDemFJ8qxQ= =Nsyu -----END PGP SIGNATURE-----
--- End Message ---