Debian Package Tracker

general

source: sympa (main)
version: 6.2.58~dfsg-1
maintainer: Debian Sympa team (DMD)
uploaders: Stefan Hornburg (Racke) [DMD] – Emmanuel Bouthenot [DMD]
arch: any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 6.1.23~dfsg-2+deb8u1
o-o-sec: 6.1.23~dfsg-2+deb8u3
oldstable: 6.2.16~dfsg-3+deb9u2
old-sec: 6.2.16~dfsg-3+deb9u3
stable: 6.2.40~dfsg-1
testing: 6.2.40~dfsg-7
unstable: 6.2.58~dfsg-1

versioned links

6.1.23~dfsg-2+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.23~dfsg-2+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.16~dfsg-3+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.16~dfsg-3+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.40~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.40~dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.58~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

sympa (39 bugs: 0, 24, 15, 0)

action needed

2 security issues in stretch high

There are 2 open security issues in stretch.

1 important issue:

CVE-2020-26880: Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

1 issue skipped by the security teams:

CVE-2018-1000671: sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.

Please fix them.

Created: 2018-09-07 Last update: 2020-10-25 17:34

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2020-26880: Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

Please fix it.

Created: 2020-10-08 Last update: 2020-10-25 17:34

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-26880: Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

Please fix it.

Created: 2020-10-08 Last update: 2020-10-25 17:34

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2020-10-19 Last update: 2020-10-26 01:02

Depends on packages which need a new maintainer normal

The packages that sympa depends on which need a new maintainer are:

libintl-perl (#945988)
- Build-Depends: libintl-perl
- Depends: libintl-perl

Created: 2019-11-22 Last update: 2020-10-25 22:08

piuparts found (un)installation error(s) normal

Piuparts stresses package installation, uninstallation, upgrade, ... While doing such tests, one or more errors were found for the following suites:

sid - piuparts

You should fix them.

Created: 2020-10-25 Last update: 2020-10-25 18:05

lintian reports 9 warnings normal

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-10-22 04:34

4 ignored security issues in buster low

There are 4 open security issues in buster.

4 issues skipped by the security teams:

CVE-2020-10936: Sympa before 6.2.56 allows privilege escalation.
CVE-2020-26880: Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.
CVE-2020-26932: debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)
CVE-2020-9369: Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters.

Please fix them.

Created: 2020-02-24 Last update: 2020-10-25 17:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2020-10-25 17:37

testing migrations

excuses:
- Migration status for sympa (6.2.40~dfsg-7 to 6.2.58~dfsg-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Rejected due to piuparts regression - https://piuparts.debian.org/sid/source/s/sympa.html
- Too young, only 1 of 10 days old
- Not considered

news

[rss feed]

[2020-10-25] Accepted sympa 6.2.58~dfsg-1 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2020-10-15] sympa 6.2.40~dfsg-7 MIGRATED to testing (Debian testing watch)
[2020-10-10] Accepted sympa 6.2.40~dfsg-7 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2020-10-07] Accepted sympa 6.2.16~dfsg-3+deb9u3 (source) into oldstable (Sylvain Beucler)
[2020-10-07] sympa 6.2.40~dfsg-6 MIGRATED to testing (Debian testing watch)
[2020-10-01] Accepted sympa 6.2.40~dfsg-6 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2020-09-30] sympa 6.2.40~dfsg-5 MIGRATED to testing (Debian testing watch)
[2020-09-25] Accepted sympa 6.2.40~dfsg-5 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2020-06-24] sympa REMOVED from testing (Debian testing watch)
[2020-03-02] sympa 6.2.40~dfsg-4 MIGRATED to testing (Debian testing watch)
[2020-02-25] Accepted sympa 6.2.40~dfsg-4 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2019-09-12] sympa 6.2.40~dfsg-3 MIGRATED to testing (Debian testing watch)
[2019-09-07] Accepted sympa 6.2.40~dfsg-3 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2019-09-02] sympa 6.2.40~dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-08-28] Accepted sympa 6.2.40~dfsg-2 (source) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2019-01-27] sympa 6.2.40~dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-01-21] Accepted sympa 6.2.40~dfsg-1 (source amd64) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2019-01-03] Accepted sympa 6.2.16~dfsg-3+deb9u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2018-12-30] sympa 6.2.38~dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-12-25] Accepted sympa 6.2.38~dfsg-1 (source amd64) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2018-12-20] sympa 6.2.36~dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-12-19] sympa REMOVED from testing (Debian testing watch)
[2018-12-08] sympa 6.2.36~dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-12-02] Accepted sympa 6.2.36~dfsg-2 (source amd64) into unstable (Stefan Hornburg (Racke)) (signed by: Stefan Hornburg)
[2018-10-03] sympa 6.2.36~dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-02] Accepted sympa 6.2.16~dfsg-3+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2018-09-27] Accepted sympa 6.2.36~dfsg-1 (source amd64) into unstable (Emmanuel Bouthenot)
[2018-09-21] Accepted sympa 6.1.23~dfsg-2+deb8u3 (source) into oldstable (Abhijith PA) (signed by: Roberto C. Sanchez)
[2018-09-05] Accepted sympa 6.2.16~dfsg-3+deb9u1 (source) into stable->embargoed, stable (Salvatore Bonaccorso)
[2018-07-24] Accepted sympa 6.1.23~dfsg-2+deb8u2 (source amd64) into oldstable (Markus Koschany)

bugs [bug history graph]

all: 40
RC: 0
I&N: 25
M&W: 15
F&P: 0
patch: 3

links

homepage
lintian (0, 9)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (99, 38)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.2.40~dfsg-4
28 bugs (1 patch)