diff options
| author | Neel Chauhan <nc@FreeBSD.org> | 2021-04-28 16:56:22 +0000 |
|---|---|---|
| committer | Neel Chauhan <nc@FreeBSD.org> | 2021-04-28 16:56:22 +0000 |
| commit | 10ad22f83cf7c9a495f3f04c822e2b63ee580215 (patch) | |
| tree | 498578f3e9a9b88115b49bbb9a3391a87bcb3035 | |
| parent | 554627ac3cfce1b0284967debcc8a6e2bbed5781 (diff) | |
mail/sympa: add vuxml entry
PR: 255455
Submitted by: Geoffroy Desvernay <dgeo@centrale-marseille.fr> (maintainer)
| -rw-r--r-- | security/vuxml/vuln.xml | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7a8b0a201a25..1c57d6d1662d 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9"> + <topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic> + <affects> + <package> + <name>sympa</name> + <range><lt>6.2.62</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Earlier versions of Sympa require a parameter named cookie in sympa.conf + configuration file.</p> + <blockquote cite="https://sympa-community.github.io/security/2021-001.html"> + <p>This parameter was used to make some identifiers generated by the system + unpredictable. For example, it was used as following:</p> + <ul><li>To be used as a salt to encrypt passwords stored in the database by + the RC4 symmetric key algorithm. + <p>Note that RC4 is no longer considered secure enough and is not supported + in the current version of Sympa.</p></li> + <li>To prevent attackers from sending crafted messages to achieve XSS and + so on in message archives.</li></ul> + <p>There were the following problems with the use of this parameter.</p> + <ol><li>This parameter, for its purpose, should be different for each + installation, and once set, it cannot be changed. As a result, some sites + have been operating without setting this parameter. This completely + invalidates the security measures described above.</li> + <li>Even if this parameter is properly set, it may be considered not being + strong enough against brute force attacks.</li></ol> + </blockquote> + </body> + </description> + <references> + <url>https://sympa-community.github.io/security/2021-001.html</url> + </references> + <dates> + <discovery>2021-04-27</discovery> + <entry>2021-04-27</entry> + </dates> + </vuln> + <vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17"> <topic>chromium -- multiple vulnerabilities</topic> <affects> |