FreeBSD Bugzilla – Attachment 224491 Details for
Bug 255455
mail/sympa: security upgrade to 6.2.62
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
git patch with vuxml entry
0001-upgrade-sympa-to-6.2.62.patch (text/plain), 4.50 KB, created by
geoffroy desvernay
on 2021-04-28 10:36:57 UTC
(
hide
)
Description:
git patch with vuxml entry
Filename:
MIME Type:
Creator:
geoffroy desvernay
Created:
2021-04-28 10:36:57 UTC
Size:
4.50 KB
patch
obsolete
>From f43230b208b70cf1bf304b8e94ce894e020b948a Mon Sep 17 00:00:00 2001 >From: Geoffroy Desvernay <dgeo@centrale-marseille.fr> >Date: Wed, 28 Apr 2021 12:31:01 +0200 >Subject: [PATCH] upgrade sympa to 6.2.62 > >--- > mail/sympa/Makefile | 2 +- > mail/sympa/distinfo | 6 +++--- > mail/sympa/pkg-plist | 4 ++-- > security/vuxml/vuln.xml | 40 ++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 46 insertions(+), 6 deletions(-) > >diff --git a/mail/sympa/Makefile b/mail/sympa/Makefile >index ce0b1fb94039..89d0ccac7752 100644 >--- a/mail/sympa/Makefile >+++ b/mail/sympa/Makefile >@@ -1,7 +1,7 @@ > # Created by: Autrijus Tang <autrijus@autrijus.org> > > PORTNAME= sympa >-DISTVERSION= 6.2.60 >+DISTVERSION= 6.2.62 > CATEGORIES= mail > > MAINTAINER= dgeo@centrale-marseille.fr >diff --git a/mail/sympa/distinfo b/mail/sympa/distinfo >index b75385536833..dc07535889aa 100644 >--- a/mail/sympa/distinfo >+++ b/mail/sympa/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1609930329 >-SHA256 (sympa-community-sympa-6.2.60_GH0.tar.gz) = c0a319b1dd220f6dd4a5aa8b7046e478c7a246de2e70659e544fc896e67297f7 >-SIZE (sympa-community-sympa-6.2.60_GH0.tar.gz) = 10428390 >+TIMESTAMP = 1619604300 >+SHA256 (sympa-community-sympa-6.2.62_GH0.tar.gz) = eb86ceee6a7837386961cb9915d27242900f36c949442fb6e8ed964997060e8c >+SIZE (sympa-community-sympa-6.2.62_GH0.tar.gz) = 10438551 >diff --git a/mail/sympa/pkg-plist b/mail/sympa/pkg-plist >index 46fb18ef856d..e6246e70dd18 100644 >--- a/mail/sympa/pkg-plist >+++ b/mail/sympa/pkg-plist >@@ -538,7 +538,7 @@ share/locale/zh_TW/LC_MESSAGES/sympa.mo > %%DATADIR%%/defaults/mail_tt2/which.tt2 > %%DATADIR%%/defaults/mail_tt2/x509-user-cert-missing.tt2 > %%DATADIR%%/defaults/mail_tt2/your_infected_msg.tt2 >-%%DATADIR%%/defaults/mhonarc-ressources.tt2 >+%%DATADIR%%/defaults/mhonarc_rc.tt2 > %%DATADIR%%/defaults/mime.types > %%DATADIR%%/defaults/nrcpt_by_domain.conf > %%DATADIR%%/defaults/scenari/add.auth >@@ -680,7 +680,7 @@ share/locale/zh_TW/LC_MESSAGES/sympa.mo > %%DATADIR%%/defaults/web_tt2/arcsearch_form.tt2 > %%DATADIR%%/defaults/web_tt2/aside_menu.tt2 > %%DATADIR%%/defaults/web_tt2/authorization_reject.tt2 >-%%DATADIR%%/defaults/web_tt2/blacklist.tt2 >+%%DATADIR%%/defaults/web_tt2/blocklist.tt2 > %%DATADIR%%/defaults/web_tt2/button_footer.tt2 > %%DATADIR%%/defaults/web_tt2/button_header.tt2 > %%DATADIR%%/defaults/web_tt2/ca.tt2 >diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml >index 7a8b0a201a25..1c57d6d1662d 100644 >--- a/security/vuxml/vuln.xml >+++ b/security/vuxml/vuln.xml >@@ -76,6 +76,46 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9"> >+ <topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic> >+ <affects> >+ <package> >+ <name>sympa</name> >+ <range><lt>6.2.62</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Earlier versions of Sympa require a parameter named cookie in sympa.conf >+ configuration file.</p> >+ <blockquote cite="https://sympa-community.github.io/security/2021-001.html"> >+ <p>This parameter was used to make some identifiers generated by the system >+ unpredictable. For example, it was used as following:</p> >+ <ul><li>To be used as a salt to encrypt passwords stored in the database by >+ the RC4 symmetric key algorithm. >+ <p>Note that RC4 is no longer considered secure enough and is not supported >+ in the current version of Sympa.</p></li> >+ <li>To prevent attackers from sending crafted messages to achieve XSS and >+ so on in message archives.</li></ul> >+ <p>There were the following problems with the use of this parameter.</p> >+ <ol><li>This parameter, for its purpose, should be different for each >+ installation, and once set, it cannot be changed. As a result, some sites >+ have been operating without setting this parameter. This completely >+ invalidates the security measures described above.</li> >+ <li>Even if this parameter is properly set, it may be considered not being >+ strong enough against brute force attacks.</li></ol> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://sympa-community.github.io/security/2021-001.html</url> >+ </references> >+ <dates> >+ <discovery>2021-04-27</discovery> >+ <entry>2021-04-27</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17"> > <topic>chromium -- multiple vulnerabilities</topic> > <affects> >-- >2.31.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=224491">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 255455
: 224491