Ubuntu Security Notice 4442-1 - Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP GET/POST requests. An attacker could possibly use this issue to insert, edit or obtain sensitive information. It was discovered that Sympa incorrectly handled URL parameters. An attacker could possibly use this issue to perform XSS attacks. Nicolas Chatelain discovered that Sympa incorrectly handled environment variables. An attacker could possibly use this issue with a setuid binary and gain root privileges. Various other issues were also addressed.
7020185eae4c1a4feb195064dd4e42bd3d4a8eca72224fca58383c0be086b058
=========================================================================
Ubuntu Security Notice USN-4442-1
July 28, 2020
sympa vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Sympa.
Software Description:
- sympa: Modern mailing list manager
Details:
Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP
GET/POST requests. An attacker could possibly use this issue to insert,
edit or obtain sensitive information. (CVE-2018-1000550)
It was discovered that Sympa incorrectly handled URL parameters. An
attacker could possibly use this issue to perform XSS attacks.
(CVE-2018-1000671)
Nicolas Chatelain discovered that Sympa incorrectly handled environment
variables. An attacker could possibly use this issue with a setuid
binary and gain root privileges. (CVE-2020-10936)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
sympa 6.1.17~dfsg-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4442-1
CVE-2018-1000550, CVE-2018-1000671, CVE-2020-10936