Hi Antoine,
On 09/11/2020 16:48, Antoine Beaupré wrote:
On 2020-11-09 14:04:02, Sylvain Beucler wrote:
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2441-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
November 09, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : sympa
Version : 6.2.16~dfsg-3+deb9u4
CVE ID : CVE-2018-1000671 CVE-2020-26880
Debian Bug : 908165 972189
What's up with those bug reports? #908165 refers to CVE-2018-1000671 but
#972189 refers to CVE-2020-10936, not CVE-2020-26880.
This upload indeed addresses #972189 which, as documented in my
concluding message to that bug, and in the package changelog, involves
adding a bit of documentation related to CVE-2020-10936 (fixed in the
previous upload).
Also, CVE-2020-26880 is marked as unfixed in the security tracker (and
the upstream bugtracker), but not CVE-2020-10936...
Which one is which? Is the sympa package in Debian LTS still vulnerable
to privilege escalation?
The rest of the advisory explains this:
: A privilege escalation was discovered in Sympa, a modern mailing list
: manager. It is fixed when Sympa is used in conjunction with common
: MTAs (such as Exim or Postfix) by disabling a setuid executable,
: although no fix is currently available for all environments (such as
: sendmail).
The security tracker's status is set accordingly:
[stretch] - sympa <postponed> (Mitigated, revisit when fixed upstream)
For further context, according to my exchanges with upstream, little
manpower is available to fully fix current security issues, so it is
unlikely we'll get a complete fix in the coming months/year. Meanwhile,
this upload allows fixing CVE-2020-26880 in 90% of case (that is,
basically all MTA setups besides plain sendmail).
Let me know if something needs to be clarified and how.
Cheers!
Sylvain
