The Sympa Community 2020-02-24 (Update)
A fix is available for a vulnerability discovered in Sympa web interface.
A vulnerability has been discovered in Sympa web interface that can cause denial of service (DoS) attack.
By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa’s directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.
Possibility of denial of service (DoS) because of disk full or flooding messages.
No workaround is known at the present.
Upgrade to version 6.2.54
Apply a patch
Download appropriate patch file and save it in your server. Move
into the directory where
wwsympa.fcgi is installed, and apply
# patch -p1 < sympa-6.2.XX-sa-2020-001.patch
Then restart web interface.
The security flaw this advisory describes was reported by Javier Moreno.
Initial version published.
CVE numbers: CVE-2020-9369 was assigned.
Theme originally designed by orderedlist