Attachment #224491 for bug #255455

View | Details | Raw Unified | Return to bug 255455
Collapse All | Expand All

Lines 1-7 Link Here

(-)b/mail/sympa/Makefile (-1 / +1 lines)
1	# Created by: Autrijus Tang <autrijus@autrijus.org>	1	# Created by: Autrijus Tang <autrijus@autrijus.org>
2		2
3	PORTNAME= sympa	3	PORTNAME= sympa
4	DISTVERSION= 6.2.60	4	DISTVERSION= 6.2.62
5	CATEGORIES= mail	5	CATEGORIES= mail
6		6
7	MAINTAINER= dgeo@centrale-marseille.fr	7	MAINTAINER= dgeo@centrale-marseille.fr

Lines 1-3 Link Here

(-)b/mail/sympa/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1609930329	1	TIMESTAMP = 1619604300
2	SHA256 (sympa-community-sympa-6.2.60_GH0.tar.gz) = c0a319b1dd220f6dd4a5aa8b7046e478c7a246de2e70659e544fc896e67297f7	2	SHA256 (sympa-community-sympa-6.2.62_GH0.tar.gz) = eb86ceee6a7837386961cb9915d27242900f36c949442fb6e8ed964997060e8c
3	SIZE (sympa-community-sympa-6.2.60_GH0.tar.gz) = 10428390	3	SIZE (sympa-community-sympa-6.2.62_GH0.tar.gz) = 10438551




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9">
    <topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic>
    <affects>
      <package>
	<name>sympa</name>
	<range><lt>6.2.62</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Earlier versions of Sympa require a parameter named cookie in sympa.conf
	configuration file.</p>
	<blockquote cite="https://sympa-community.github.io/security/2021-001.html">
	<p>This parameter was used to make some identifiers generated by the system
	unpredictable. For example, it was used as following:</p>
	<ul><li>To be used as a salt to encrypt passwords stored in the database by
	the RC4 symmetric key algorithm.
	<p>Note that RC4 is no longer considered secure enough and is not supported
	in the current version of Sympa.</p></li>
	<li>To prevent attackers from sending crafted messages to achieve XSS and
	so on in message archives.</li></ul>
	<p>There were the following problems with the use of this parameter.</p>
	<ol><li>This parameter, for its purpose, should be different for each
	installation, and once set, it cannot be changed. As a result, some sites
	have been operating without setting this parameter. This completely
	invalidates the security measures described above.</li>
	<li>Even if this parameter is properly set, it may be considered not being
	strong enough against brute force attacks.</li></ol>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://sympa-community.github.io/security/2021-001.html</url>
    </references>
    <dates>
      <discovery>2021-04-27</discovery>
      <entry>2021-04-27</entry>
    </dates>
  </vuln>

  <vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17">
    <topic>chromium -- multiple vulnerabilities</topic>
    <affects>
- 

Return to bug 255455

Lines 538-544 share/locale/zh_TW/LC_MESSAGES/sympa.mo Link Here

(-)b/mail/sympa/pkg-plist (-2 / +2 lines)
538	%%DATADIR%%/defaults/mail_tt2/which.tt2	538	%%DATADIR%%/defaults/mail_tt2/which.tt2
539	%%DATADIR%%/defaults/mail_tt2/x509-user-cert-missing.tt2	539	%%DATADIR%%/defaults/mail_tt2/x509-user-cert-missing.tt2
540	%%DATADIR%%/defaults/mail_tt2/your_infected_msg.tt2	540	%%DATADIR%%/defaults/mail_tt2/your_infected_msg.tt2
541	%%DATADIR%%/defaults/mhonarc-ressources.tt2	541	%%DATADIR%%/defaults/mhonarc_rc.tt2
542	%%DATADIR%%/defaults/mime.types	542	%%DATADIR%%/defaults/mime.types
543	%%DATADIR%%/defaults/nrcpt_by_domain.conf	543	%%DATADIR%%/defaults/nrcpt_by_domain.conf
544	%%DATADIR%%/defaults/scenari/add.auth	544	%%DATADIR%%/defaults/scenari/add.auth
Lines 680-686 share/locale/zh_TW/LC_MESSAGES/sympa.mo Link Here
680	%%DATADIR%%/defaults/web_tt2/arcsearch_form.tt2	680	%%DATADIR%%/defaults/web_tt2/arcsearch_form.tt2
681	%%DATADIR%%/defaults/web_tt2/aside_menu.tt2	681	%%DATADIR%%/defaults/web_tt2/aside_menu.tt2
682	%%DATADIR%%/defaults/web_tt2/authorization_reject.tt2	682	%%DATADIR%%/defaults/web_tt2/authorization_reject.tt2
683	%%DATADIR%%/defaults/web_tt2/blacklist.tt2	683	%%DATADIR%%/defaults/web_tt2/blocklist.tt2
684	%%DATADIR%%/defaults/web_tt2/button_footer.tt2	684	%%DATADIR%%/defaults/web_tt2/button_footer.tt2
685	%%DATADIR%%/defaults/web_tt2/button_header.tt2	685	%%DATADIR%%/defaults/web_tt2/button_header.tt2
686	%%DATADIR%%/defaults/web_tt2/ca.tt2	686	%%DATADIR%%/defaults/web_tt2/ca.tt2

Lines 76-81 Notes: Link Here

(-)b/security/vuxml/vuln.xml (-1 / +40 lines)
76	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	76	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
77	-->	77	-->
78	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	78	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		79	<vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9">
		80	<topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic>
		81	<affects>
		82	<package>
		83	<name>sympa</name>
		84	<range><lt>6.2.62</lt></range>
		85	</package>
		86	</affects>
		87	<description>
		88	<body xmlns="http://www.w3.org/1999/xhtml">
		89	<p>Earlier versions of Sympa require a parameter named cookie in sympa.conf
		90	configuration file.</p>
		91	<blockquote cite="https://sympa-community.github.io/security/2021-001.html">
		92	<p>This parameter was used to make some identifiers generated by the system
		93	unpredictable. For example, it was used as following:</p>
		94	<ul><li>To be used as a salt to encrypt passwords stored in the database by
		95	the RC4 symmetric key algorithm.
		96	<p>Note that RC4 is no longer considered secure enough and is not supported
		97	in the current version of Sympa.</p></li>
		98	<li>To prevent attackers from sending crafted messages to achieve XSS and
		99	so on in message archives.</li></ul>
		100	<p>There were the following problems with the use of this parameter.</p>
		101	<ol><li>This parameter, for its purpose, should be different for each
		102	installation, and once set, it cannot be changed. As a result, some sites
		103	have been operating without setting this parameter. This completely
		104	invalidates the security measures described above.</li>
		105	<li>Even if this parameter is properly set, it may be considered not being
		106	strong enough against brute force attacks.</li></ol>
		107	</blockquote>
		108	</body>
		109	</description>
		110	<references>
		111	<url>https://sympa-community.github.io/security/2021-001.html</url>
		112	</references>
		113	<dates>
		114	<discovery>2021-04-27</discovery>
		115	<entry>2021-04-27</entry>
		116	</dates>
		117	</vuln>
		118
79	<vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17">	119	<vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17">
80	<topic>chromium -- multiple vulnerabilities</topic>	120	<topic>chromium -- multiple vulnerabilities</topic>
81	<affects>	121	<affects>
82	-