[CVE-2021-46900] Obsolete cookie parameter that is not secure enough
#1091
Comments
|
Thanks a lot for the thorough investigation, @ikedas. For the first item ... I think it is about time to retire direct upgrades from 6.1 to the latest 6.2 release. |
|
It's nice idea to give up direct upgrade from 6.1. (You might mean of Debian packages.) I think |
This suggestion was for Sympa itself only. Debian supports updates to the next release only.
Yes, that makes sense to me. |
@racke: I don't think simply dropping upgrade from versions prior to 6.1 is such a good idea. From my experience, People tend to operate their Sympa during a long time before upgrading, because as long as it makes the job, they don't bother upgrading. And when they decide to do it, what's nice with Sympa is that the whole history of sympa upgrade operations is handled by
Makes sense to me too. |
But that's not really our problem. 6.2 was released in 2015, so we did lots of incompatible changes since then. There is no straightforward upgrade from 6.1 any way in my opinion. |
It is true that "There is no straightforward upgrade from 6.1". However, currently administrators can upgrade from 6.1.x by intervening manually according to Upgrading notes. --- In fact, recently some administrators posted questions about this process. We may drop support for releases prior to 6.2.xx (Of course I agree). This means that we won't provide more fixes for these earlier versions, but doesn't mean that we will stop providing measure to upgradse from earlier versions. |
Certainly but the upgrade takes care of the incompatible changes. Maybe we should create an issue about which version upgrade we support? If old version upgrade is dropped, I'd be in favor of moving old upgrade code to contributions; This way, we get rid of old code and don't abandon old timers. EDIT: rephrase. |
I agree with Soji. |
|
No one with a sane mind would do the upgrade of an old Sympa production installation in place. You are going to start with a test system and run the upgrades until your satisfied with the result. So having to run multiple steps of upgrades is really insignificant compared to the whole progress. That leaves us to decide which is the version we support with the sympa upgrade command. |
However your proposal also affect to the people upgrading from 6.2.58.
As I wrote before, we may not worry about whether code for upgrading process really supports earlier versions. Good night for now. |
|
@ikedas Can you please explain why it affects upgrading from 6.2.58? |
…e_send_spool.pl and upgrade_sympa_password.pl to read the obsoleted parameter by themselves
It's you who tell "to retire direct upgrades from 6.1 to the latest 6.2 release". You also told user may upgrade "having to run multiple steps". I think these mean that users using earlier version must take the first step to upgrade to 6.2.60 (or later?), then the second step to the most recent version: Now the two versions with 6.2.60 in between are allowed to be discontinuous. Thus, anything that has been included in any version prior to 6.2.60 may be removed or changed on the future versions without notice or measures. --- That's why your proposal will also affect to users upgrading from 6.2.58. |
No, that is not my intention. I definitely want to select an early version of 6.2 to be upgradeable to 6.2 latest version and not 6.2.58. For example we choose 6.2.16. Users from 6.1 and 6.2 < 6.2.16 need to upgrade 6.2.16 first. Direct upgrades from 6.2.16 and newer will be supported for the foreseeable future. |
As you know, all of earlier versions are proven vulnerable and buggy. Only version we can recommend is always the latest version at that time. Thus, IMO we cannot recommend particular version of earlier 6.2.x as transient version. # NB: Besides, assuming if you wanted to drop upgrading from earlier versions by getting rid of Anyway, recent some posts are not the discussion about "obsoleting 'cookie' parameter". I'm sorry but I'm going to exercise my authority so that we may save time for discussion which seems not having a quick conclusion: As the Release Manager, I don't allow removal of existing scripts and codes which will help upgrading from earlier versions, during my term, i.e. at least in this year. (see also a thread on discussion) |
|
So be it. I will restrict my contributions to unanimous subjects and keep out discussions like this. |
|
Code has been modified. Next, the documentation should be updated. |
…e file) under sympa-community#1091 - Update POTFILES for changing name of a file - Update xgettext.pl for the new tags
|
Now documentation has been prepared. |
|
Great work @ikedas. 👍 |
|
This issue appears to have CVE-2021-46900 assigned. |
ikedas
changed the title
cookie parametercookie parameter that is not secure enough
|
@carnil , thank you for information! |
Expected Behavior
cookieparameter will be obsoleted.Possible Solution
Context
As far as I investigated with current stable (6.2.60),
cookieparameter is used at least in these things:bin/upgrade_send_spool.pl#sympa_checksum()
to migrate older bulk spool
This is needed for upgrading from versions prior to 6.2.
bin/upgrade_sympa_password.pl#_decrypt_rc4_password()
to migrate older user password
This is needed for upgrading from versions prior to 6.2.26 by which RC4 encryption was deprecated.
Sympa::Tools::Password#tmp_passwd()
to create temporary password for new users;
This process should be removed after careful review.
Sympa::Archive#_get_tag()
to generate randomized tags for
$tag$notation inmhonarc_ressources.tt2This process should be removed by adopting another randomization.
Sympa::List.pm#get_cookie()
to get List's (not the default in sympa.conf)
cookieparameterThis function is no longer used.
The text was updated successfully, but these errors were encountered: