From f43230b208b70cf1bf304b8e94ce894e020b948a Mon Sep 17 00:00:00 2001 From: Geoffroy Desvernay Date: Wed, 28 Apr 2021 12:31:01 +0200 Subject: [PATCH] upgrade sympa to 6.2.62 --- mail/sympa/Makefile | 2 +- mail/sympa/distinfo | 6 +++--- mail/sympa/pkg-plist | 4 ++-- security/vuxml/vuln.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 6 deletions(-) diff --git a/mail/sympa/Makefile b/mail/sympa/Makefile index ce0b1fb94039..89d0ccac7752 100644 --- a/mail/sympa/Makefile +++ b/mail/sympa/Makefile @@ -1,7 +1,7 @@ # Created by: Autrijus Tang PORTNAME= sympa -DISTVERSION= 6.2.60 +DISTVERSION= 6.2.62 CATEGORIES= mail MAINTAINER= dgeo@centrale-marseille.fr diff --git a/mail/sympa/distinfo b/mail/sympa/distinfo index b75385536833..dc07535889aa 100644 --- a/mail/sympa/distinfo +++ b/mail/sympa/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1609930329 -SHA256 (sympa-community-sympa-6.2.60_GH0.tar.gz) = c0a319b1dd220f6dd4a5aa8b7046e478c7a246de2e70659e544fc896e67297f7 -SIZE (sympa-community-sympa-6.2.60_GH0.tar.gz) = 10428390 +TIMESTAMP = 1619604300 +SHA256 (sympa-community-sympa-6.2.62_GH0.tar.gz) = eb86ceee6a7837386961cb9915d27242900f36c949442fb6e8ed964997060e8c +SIZE (sympa-community-sympa-6.2.62_GH0.tar.gz) = 10438551 diff --git a/mail/sympa/pkg-plist b/mail/sympa/pkg-plist index 46fb18ef856d..e6246e70dd18 100644 --- a/mail/sympa/pkg-plist +++ b/mail/sympa/pkg-plist @@ -538,7 +538,7 @@ share/locale/zh_TW/LC_MESSAGES/sympa.mo %%DATADIR%%/defaults/mail_tt2/which.tt2 %%DATADIR%%/defaults/mail_tt2/x509-user-cert-missing.tt2 %%DATADIR%%/defaults/mail_tt2/your_infected_msg.tt2 -%%DATADIR%%/defaults/mhonarc-ressources.tt2 +%%DATADIR%%/defaults/mhonarc_rc.tt2 %%DATADIR%%/defaults/mime.types %%DATADIR%%/defaults/nrcpt_by_domain.conf %%DATADIR%%/defaults/scenari/add.auth @@ -680,7 +680,7 @@ share/locale/zh_TW/LC_MESSAGES/sympa.mo %%DATADIR%%/defaults/web_tt2/arcsearch_form.tt2 %%DATADIR%%/defaults/web_tt2/aside_menu.tt2 %%DATADIR%%/defaults/web_tt2/authorization_reject.tt2 -%%DATADIR%%/defaults/web_tt2/blacklist.tt2 +%%DATADIR%%/defaults/web_tt2/blocklist.tt2 %%DATADIR%%/defaults/web_tt2/button_footer.tt2 %%DATADIR%%/defaults/web_tt2/button_header.tt2 %%DATADIR%%/defaults/web_tt2/ca.tt2 diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7a8b0a201a25..1c57d6d1662d 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security. + + + sympa + 6.2.62 + + + + +

Earlier versions of Sympa require a parameter named cookie in sympa.conf + configuration file.

+
This parameter was used to make some identifiers generated by the system + unpredictable. For example, it was used as following:
+
To be used as a salt to encrypt passwords stored in the database by + the RC4 symmetric key algorithm. +
Note that RC4 is no longer considered secure enough and is not supported + in the current version of Sympa.
+
To prevent attackers from sending crafted messages to achieve XSS and + so on in message archives.
+
There were the following problems with the use of this parameter.
+
This parameter, for its purpose, should be different for each + installation, and once set, it cannot be changed. As a result, some sites + have been operating without setting this parameter. This completely + invalidates the security measures described above.
+
Even if this parameter is properly set, it may be considered not being + strong enough against brute force attacks.
+

+ + + + https://sympa-community.github.io/security/2021-001.html + + + 2021-04-27 + 2021-04-27 + + + chromium -- multiple vulnerabilities -- 2.31.1