Debian Bug report logs - #976020
sympa: CVE-2020-29668: Unauthorized access to review call of the SOAP API

version graph

Package: sympa; Maintainer for sympa is Debian Sympa team <sympa@packages.debian.org>; Source for sympa is src:sympa (PTS, buildd, popcon).

Reported by: "Stefan Hornburg (Racke)" <racke@linuxia.de>

Date: Sat, 28 Nov 2020 12:03:02 UTC

Severity: important

Tags: patch, security, upstream

Found in versions sympa/6.2.40~dfsg-7, 6.2.16~dfsg-3+deb9u4, sympa/6.2.40~dfsg-1

Fixed in versions sympa/6.2.58~dfsg-2, sympa/6.2.40~dfsg-1+deb10u1

Done: Sylvain Beucler <beuc@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/sympa-community/sympa/issues/1041

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Sympa team <sympa@packages.debian.org>:
Bug#976020; Package sympa. (Sat, 28 Nov 2020 12:03:04 GMT) (full text, mbox, link).


Acknowledgement sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
New Bug report received and forwarded. Copy sent to Debian Sympa team <sympa@packages.debian.org>. (Sat, 28 Nov 2020 12:03:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Stefan Hornburg (Racke)" <racke@linuxia.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Unauthorized access to review call of the SOAP API
Date: Sat, 28 Nov 2020 12:33:34 +0100
[Message part 1 (text/plain, inline)]
package: sympa
version: 6.2.58~dfsg-2
severity: important
tags: security
forwarded: https://github.com/sympa-community/sympa/issues/1041

It is possible to retrieve the email addresses of a list through the SOAP API without proper authentication.

This requires the following knowledge:

- name of the list
- email of an user that is allowed to see the email addresses OR a valid session id

The SOAP API is not activated with the default Debconf settings.

Patch attached.

Regards
          Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
[soap-api-access-fix.diff (text/x-patch, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]

Marked as found in versions sympa/6.2.40~dfsg-7. Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de> to control@bugs.debian.org. (Sat, 28 Nov 2020 13:03:02 GMT) (full text, mbox, link).


Marked as found in versions sympa/6.2.40~dfsg-1. Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de> to control@bugs.debian.org. (Sat, 28 Nov 2020 13:03:02 GMT) (full text, mbox, link).


Marked as found in versions 6.2.16~dfsg-3+deb9u4. Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de> to control@bugs.debian.org. (Sat, 28 Nov 2020 13:03:03 GMT) (full text, mbox, link).


Added tag(s) patch. Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de> to control@bugs.debian.org. (Sat, 28 Nov 2020 13:03:04 GMT) (full text, mbox, link).


Reply sent to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility. (Sat, 28 Nov 2020 17:09:03 GMT) (full text, mbox, link).


Notification sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Bug acknowledged by developer. (Sat, 28 Nov 2020 17:09:03 GMT) (full text, mbox, link).


Message #18 received at 976020-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 976020-close@bugs.debian.org
Subject: Bug#976020: fixed in sympa 6.2.58~dfsg-2
Date: Sat, 28 Nov 2020 17:06:00 +0000
Source: sympa
Source-Version: 6.2.58~dfsg-2
Done: Stefan Hornburg (Racke) <racke@linuxia.de>

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 976020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Nov 2020 15:41:21 +0100
Source: sympa
Architecture: source
Version: 6.2.58~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Sympa team <sympa@packages.debian.org>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Closes: 976020
Changes:
 sympa (6.2.58~dfsg-2) unstable; urgency=low
 .
   * Apply patch to fix unauthorized access to review call of the SOAP API
     (Closes: #976020).
   * Add debconf-updatepo to clean target.
 .
   [ Sylvain Beucler ]
   * Ask the user whether they want/need sympa_newaliases-wrapper to
     be setuid root (CVE-2020-26880 mitigation)
Checksums-Sha1:
 413e726ac7b514d033b0af303f81da30e8860e97 2517 sympa_6.2.58~dfsg-2.dsc
 49f3e19bc9212ddd040d1ede87db7ea0164e6f9e 166160 sympa_6.2.58~dfsg-2.debian.tar.xz
 a0c848e13c4e335c541052ef9a85cda600a26e1a 14974 sympa_6.2.58~dfsg-2_amd64.buildinfo
Checksums-Sha256:
 61b1235c7ee3f11260e6dc726c909bf4e758c6daa992f10624bad12c617f185f 2517 sympa_6.2.58~dfsg-2.dsc
 afc5bc31ee2f86144fd139f7326a7a2e4734cda6fd42a09e62692210340b679b 166160 sympa_6.2.58~dfsg-2.debian.tar.xz
 2ee6f69a42db704ab903b817223b0daf21fdc0d2a7cf656b4915988c18222684 14974 sympa_6.2.58~dfsg-2_amd64.buildinfo
Files:
 5bb428617f74d99d8235880b4436ae08 2517 mail optional sympa_6.2.58~dfsg-2.dsc
 b236330ab79717d39197dff82a1444d3 166160 mail optional sympa_6.2.58~dfsg-2.debian.tar.xz
 e997cdbc99109915b2dd0e95325c2f00 14974 mail optional sympa_6.2.58~dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl/CfU0RHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPitSxAAu6OWyZ0P9oFuyY6lwPrrrZnBonujoTF7
HneXZ9SFQVDQWEfihAruDw+yYjP3UtSq9Ytp9uq4BcaLMJuuBUT8kKgtYx96LY2U
UN/j3z8CuA+wbgaJ+j3f/jxS1bd1ht77ZVxjodxXRr65wb3IjbB7w6O2SVso74fT
Vcd9iKBMItlHA8w5OH9rzQnuRnr0nEModyozggZGqcTo0JGZIwlQ54yPE/NGdjuv
FBg3CRWJT/1vX0Pnkpp/wvB21c0iZi4nx+t8WjqlTj7exVj6kYuebASTMgPAQ45K
kIWGsAPt/A1n+HhMC8HSTOP5/FjtBO5dZhPHvzx2/7I8Y+tHf801d/CsQZRsYt86
LV91/rvYfu/Yw+4tohkkIaVLUsiNPiP7Fa6F/8gcV7ZLpdNz9mSmfc21No66wfyK
DK4OCR7fFJQWwwA3XNu8yrADNxhsk9HKmQRruKLrk+dSi26PhkX85sQ7NMD5ZUCw
/wzAwn9aTmPmAtPAeZZl94VTaohQvcBP7MPCMpFxWLUf2XBb0exYpsuh2Q8FOVI/
Hoqiep63YfrEzzcRwfLT9WwAgzzOfSmfIm2Qn7urpk01iPulSVOQImqwO5Z9O0ZU
zT+6m8zres5y2VDALjcComFGPVOWb0VgcFETpLPr+bIYE7A7Kl/NWu/g5xf89VvK
iUdsW54WD/M=
=opGD
-----END PGP SIGNATURE-----




Changed Bug title to 'sympa: CVE-2020-29668: Unauthorized access to review call of the SOAP API' from 'Unauthorized access to review call of the SOAP API'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Dec 2020 20:21:08 GMT) (full text, mbox, link).


Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Dec 2020 20:21:10 GMT) (full text, mbox, link).


Reply sent to Sylvain Beucler <beuc@debian.org>:
You have taken responsibility. (Mon, 28 Dec 2020 13:57:11 GMT) (full text, mbox, link).


Notification sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Bug acknowledged by developer. (Mon, 28 Dec 2020 13:57:11 GMT) (full text, mbox, link).


Message #27 received at 976020-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 976020-close@bugs.debian.org
Subject: Bug#976020: fixed in sympa 6.2.40~dfsg-1+deb10u1
Date: Mon, 28 Dec 2020 13:53:39 +0000
Source: sympa
Source-Version: 6.2.40~dfsg-1+deb10u1
Done: Sylvain Beucler <beuc@debian.org>

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 976020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvain Beucler <beuc@debian.org> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Dec 2020 14:39:54 +0100
Source: sympa
Architecture: source
Version: 6.2.40~dfsg-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Sympa team <sympa@packages.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 952428 961491 971904 976020
Changes:
 sympa (6.2.40~dfsg-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2020-10936: Sympa allows privilege escalation through setuid
     wrappers. (Closes: #961491)
   * CVE-2020-26932: restrict access to sympa_newaliases-wrapper (setuid
     root) to group sympa. (Closes: #971904)
   * Ask the user whether they want/need sympa_newaliases-wrapper to
     be setuid root (CVE-2020-26880 mitigation).
   * CVE-2020-9369: prevents creation of temporary files and email
     notifications to listmasters when encountering malformed input
     parameters. (Closes: #952428)
   * CVE-2020-29668: Sympa allows remote attackers to obtain full SOAP API
     access by sending any arbitrary string (except one from an expired
     cookie) as the cookie value to authenticateAndRun. (Closes: #976020).
Checksums-Sha1:
 3cb0e8fa0359a9e57e94dc199c001d3fc7cd527d 2193 sympa_6.2.40~dfsg-1+deb10u1.dsc
 bc9c607f16fb50f19646bcd2c65a8054039cfd97 4119788 sympa_6.2.40~dfsg.orig.tar.xz
 c13e355adcd88526899f37962e090bfb079fb4fd 167588 sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 17958f265b040660333941ead7900e7af046ac66 10207 sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 21f8ba16ce0a2d96e86b7ba8a5aa1364006ae1013a481e5c83eeaf4e8b4643a3 2193 sympa_6.2.40~dfsg-1+deb10u1.dsc
 52e4fe24577b25a9b125000f4ca227b0939e3bfb5b79346623a13b5a448eab63 4119788 sympa_6.2.40~dfsg.orig.tar.xz
 f2eff6a42e37ae7c7bae729ade4c992aecd54911dc1bd6c960385c640b81c64e 167588 sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 ffe5d92eeacf0c16b0872c11a2809ece1c13eae8f9c332076ca6fa6ebc75d9ef 10207 sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo
Files:
 bcb66853ee9279a87abfb443880107dc 2193 mail optional sympa_6.2.40~dfsg-1+deb10u1.dsc
 d0a0a7e066c68dd0af7299d312d4711d 4119788 mail optional sympa_6.2.40~dfsg.orig.tar.xz
 bee20ef3fd6458512464b09b45fd18b9 167588 mail optional sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 b26c85766d3c683d700f8d8367f20824 10207 mail optional sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/b0AoACgkQj/HLbo2J
BZ/eOwf6AsPgD6j7d6udYk2ahUZo77TkkCNqGxi15ST+n3S9Sz1b9gtHTuXCvyxI
zDAGVQhEcwe7+9KnKd6S/LjmEDuDtXznqD8DM/xxp+D1HQAKR+Ox+r14nE3LFx57
KYDU7fh1Ws+ohf0hY+hbZ8FWu/lMrSdtmqhzOH/w75l7r1zAMQkQOnVsNpb6+WJ4
J5v9p29frl7Djky1xMnm/5/G+q3YAd9ECttNWsNycYR6ry8eMqsnvuTinxj1T9NI
4RsM/Nqkn/hJZsbYpdRjyWUJjS17U42Dw2X/9LlzkuKlo6IJDCCBleyIqalL6Ucf
s3aM4rLdXRQ+E7Hg55iu1nxMT1d8Tw==
=SNwU
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jan 2021 07:26:16 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:09:23 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.