USN-4442-2: Sympa vulnerabilities
15 March 2021
Several security issues were fixed in Sympa.
Releases
Packages
- sympa - Modern mailing list manager
Details
USN-4442-1 fixed vulnerabilities in Sympa. This update provides the
corresponding updates for Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu
20.04 ESM. Original advisory details:
Nicolas Chatelain discovered that Sympa incorrectly handled environment
variables. An attacker could possibly use this issue with a setuid
binary and gain root privileges. (CVE-2020-10936)
Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP
GET/POST requests. An attacker could possibly use this issue to insert,
edit or obtain sensitive information. This issue only affected Ubuntu 16.04
ESM and Ubuntu 18.04 ESM. (CVE-2018-1000550)
It was discovered that Sympa incorrectly handled URL parameters. An
attacker could possibly use this issue to perform XSS attacks. This issue only
affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2018-1000671)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
sympa
-
6.2.40~dfsg-4ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
sympa
-
6.2.24~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
sympa
-
6.1.24~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.