Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS: Security Advisory for sympa (DLA-2441-1)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'sympa' package(s) announced via the DLA-2441-1 advisory.
Insight
Insight
A privilege escalation was discovered in Sympa, a modern mailing list manager. It is fixed when Sympa is used in conjunction with common MTAs (such as Exim or Postfix) by disabling a setuid executable, although no fix is currently available for all environments (such as sendmail). Additionally, an open-redirect vulnerability was discovered and fixed. CVE-2020-26880 Sympa allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. CVE-2018-1000671 Sympa contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The 'referer' parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs.
Affected Software
Affected Software
'sympa' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 9 stretch, these problems have been fixed in version 6.2.16~dfsg-3+deb9u4. We recommend that you upgrade your sympa packages.