Project

General

Profile

Anomalie #867

Demande #966: Résorber les problèmes d'exploitation de sympa

Fwd: [sympa-announce] 2012-001 Security breaches in archives management

Added by Vincent-Xavier JUMEL almost 12 years ago. Updated over 9 years ago.

Status:
Rejeté
Priority:
Immédiate
Category:
Task
Target version:
Start date:
12/03/2016
Due date:
% Done:

100%

Estimated time:
Difficulté:
2 Facile

Description

-------- Message original --------
Objet: [sympa-announce] 2012-001 Security breaches in archives
management
Date: 15.05.2012 16:37
De: David Verdin <>
À:
Répondre à:

______________________________________________________
______ English version _________________________

2012-001 SECURITY BREACHES IN ARCHIVES MANAGEMENT

1. THREAT
Possibility to bypass the authorization mechanisms in the archive
management page.
2. SYSTEMS AFFECTED
All Sympa branches are affected.
  • In branch 6.0, all versions prior to 6.0.7
  • In branch 6.1, all versions prior to 6.1.11
3. SUMMARY
Multiple vulnerabilities have been discovered in Sympa archive
management that allow to skip the scenario-based authorization
mechanisms.
This breach allows to:
  • display the archives management page ('arc_manage');
  • download the list's archives;
  • delete the list's archives.
4. SOLUTION
Users who can't upgrade to the latest versions have the following
workaround solution: preventing, through web server configuration, to
access the archive management,
Older versions are no longer maintained. Users of this version should
upgrade to 6.1.11 or 6.0.7 to prevent potential attacks.
5 - LINKS
Sympa 6.0.7 and 6.1.11 released

https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html
[4]

Sympa 6.1.11 released
https://www.sympa.org/#sympa_6111_released [5]
Avis de sécurité Sympa 2012-001

https://www.sympa.org/security_advisories#security_breaches_in_archives_management
[6]

______________________________________________________
______ French version _________________________

2012-001 FAILLES DE SCURIT DANS LA GESTION DES ARCHIVES DE LISTES

1. RISQUE

Contournement des droits de gestion des archives

2. SYSTMES AFFECTS

Toutes les branches de Sympa sont concernées.
  • Pour la branche 6.0, versions antérieures à 6.0.7
  • Pour la branche 6.1, versions antérieures à 6.1.11

3. RSUM

Des vulnérabilités multiples ont été découvertes dans Sympa,
permettant de contourner les scénarios d'autorisation de Sympa.
La faille permet :
  • d'afficher la page de gestion des archives pour toutes les listes
  • de télécharger tout ou partie des archives de chaque liste
  • de supprimer tout ou partie des archives de chaque liste

4. SOLUTION

En l'absence de possibilité de mise à jour, une solution de
contournement sera d'interdire l'accès aux pages de gestion des
archives par le biais de la configuration web ou du réseau.
Les versions antérieures ne sont plus maintenues. Les utilisateurs de
ces versions sont invités à passer aux versions 6.1.11 ou 6.0.7 pour
se protéger d'attaques éventuelles.

5 - LIENS

Sympa 6.0.7 and 6.1.11 released

https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html
[10]

Sympa 6.1.11 released
https://www.sympa.org/#sympa_6111_released [11]
Sympa security advisory 2012-001

https://www.sympa.org/security_advisories#security_breaches_in_archives_management
[12]

Links:
------
[1] http://www.sympa.org/distribution/sympa-6.1.11.tar.gz
[2] http://www.sympa.org/distribution/sympa-6.0.7.tar.gz
[3] http://sympa-ja.org/download/rhel/5/6.0/
[4]
https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html
[5] https://www.sympa.org/#sympa_6111_released
[6]
https://www.sympa.org/security_advisories#security_breaches_in_archives_management
[7] http://www.sympa.org/distribution/sympa-6.1.11.tar.gz
[8] http://www.sympa.org/distribution/sympa-6.0.7.tar.gz
[9] http://sympa-ja.org/download/rhel/5/6.0/
[10]
https://listes.renater.fr/sympa/arc/sympa-announce/2012-05/msg00001.html
[11] https://www.sympa.org/#sympa_6111_released
[12]
https://www.sympa.org/security_advisories#security_breaches_in_archives_management


Files

smime.p7s (4.28 KB) smime.p7s Vincent-Xavier JUMEL, 05/18/2012 10:26 AM

History

#1

Updated by Loïc Dachary over 11 years ago

  • Target version set to Backlog
#2

Updated by Loïc Dachary over 11 years ago

  • Priority changed from Normale to Immédiate
#3

Updated by Loïc Dachary over 11 years ago

  • Tracker changed from Demande to Anomalie
#4

Updated by Loïc Dachary over 11 years ago

  • Parent task set to #966
#5

Updated by Loïc Dachary over 11 years ago

  • Category set to Task
  • Difficulté set to 2 Facile
#6

Updated by Loïc Dachary over 11 years ago

  • Difficulté changed from 2 Facile to 3 Moyen
#7

Updated by Loïc Dachary over 11 years ago

  • Difficulté changed from 3 Moyen to 2 Facile
#8

Updated by Loïc Dachary over 11 years ago

  • Start date set to 12/03/2016
#9

Updated by Loïc Dachary about 11 years ago

  • Assignee set to Vincent-Xavier JUMEL
#10

Updated by Loïc Dachary about 11 years ago

  • Target version changed from Backlog to Janvier 2013
#11

Updated by Loïc Dachary about 11 years ago

  • Target version changed from Janvier 2013 to Backlog
#12

Updated by Loïc Dachary almost 11 years ago

  • Target version changed from Backlog to Avril 2013
#13

Updated by Frédéric Couchet over 10 years ago

  • Target version changed from Avril 2013 to Backlog
#14

Updated by Vincent-Xavier JUMEL over 9 years ago

  • Status changed from Nouveau to Rejeté
  • % Done changed from 0 to 100
#15

Updated by Vincent-Xavier JUMEL over 9 years ago

  • Target version changed from Backlog to Juillet 2014

Also available in: Atom PDF