Incubating the new Sympa documentation site
The Sympa Community 2021-01-06 (Update)
A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.
Defects has been discovered in authenticateAndRun
call of
Sympa SOAP/HTTP interface by which access restriction can be bypassed,
and therefore these things are allowed:
As a result, any SOAP call can be executed.
For more details see References.
This problem does not apply to environments where the SOAP/HTTP server
(sympa_soap_server.fcgi
) is not running.
Attacker can execute any SOAP call by privileges of any Sympa accounts.
Upgrade Sympa to version 6.2.60 or later
or, if you have installed Sympa using earlier version of source distribution,
Apply a patch:
Patch for Sympa 6.2.28 to 6.2.58: sympa-6.2.58-sa-2020-003-r1.patch
Patch for Sympa 6.2 to 6.2.24: sympa-6.2.24-sa-2020-003-r1.patch
Patch for Sympa 6.1.25: sympa-6.1.25-sa-2020-003-r1.patch
The security flaw was initially reported by Stefan Brenner.
2021-01-04
Initial version published.
2021-01-06
Solution: Added reference to patches for version 6.2.24 or earlier.
Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.
Theme originally designed by orderedlist