Sympa Debian issues #971
Comments
On top of that I think that we can run Sympa without any setuid/setgid scripts at all. That would solve the security problems associated with these. |
|
6.2.58 packages are in unstable now. Unfortunately there is a problem with piuparts preventing Sympa from entering testing. |
|
It looks all is good now, 6.2.58 is in testing (with 6.2.60 hopefully coming in some days): https://tracker.debian.org/pkg/sympa |
|
6.2.60 entered testing today. I'm going to work through the current list of bugs and will also review the status of the security issues. At any rate, all changes in stable should be also in testing. Soft freeze for bullseye starts at 2021-02-12. |
|
This can be closed. Last remaining issue is this one, but it has already a debian bug (and likely could be closed there as well): |
|
I am going to disable setuid completely in the Debian packages: https://salsa.debian.org/sympa-team/sympa/-/tree/topic/rm-alias-wrapper. This will close the Debian bug report. |
[ This ticket to track two Sympa issues in Debian ]
Sympa was removed from Debian testing last month, due to CVE-2020-10936 security issue. Sympa >= 6.2.56 has the security issue fixed, so updating to it should be enough to get Sympa into Debian again. Unless it can get added again before 2021-02-12 it won't be available in Debian 11 (bullseye), see Debian 11 Freeze Policy.
Sympa 6.2.40~dfsg-1 in Debian 10 (buster) has two "Severity: critical" security issues. See sympa security tracker and CVE-2020-9369 (already fixed in Debian unstable 6.2.40~dfsg-4) and CVE-2020-10936 (not fixed in Debian) bug reports.
The text was updated successfully, but these errors were encountered: