git: 10ad22f83cf7 - main - mail/sympa: add vuxml entry

Neel Chauhan nc at FreeBSD.org
Wed Apr 28 16:59:06 UTC 2021 

The branch main has been updated by nc:

URL: https://cgit.FreeBSD.org/ports/commit/?id=10ad22f83cf7c9a495f3f04c822e2b63ee580215

commit 10ad22f83cf7c9a495f3f04c822e2b63ee580215
Author:     Neel Chauhan <nc at FreeBSD.org>
AuthorDate: 2021-04-28 16:56:22 +0000
Commit:     Neel Chauhan <nc at FreeBSD.org>
CommitDate: 2021-04-28 16:56:22 +0000

    mail/sympa: add vuxml entry
    
    PR:             255455
    Submitted by:   Geoffroy Desvernay <dgeo at centrale-marseille.fr> (maintainer)
---
 security/vuxml/vuln.xml | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 7a8b0a201a25..1c57d6d1662d 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -76,6 +76,46 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9">
+    <topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic>
+    <affects>
+      <package>
+	<name>sympa</name>
+	<range><lt>6.2.62</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Earlier versions of Sympa require a parameter named cookie in sympa.conf
+	configuration file.</p>
+	<blockquote cite="https://sympa-community.github.io/security/2021-001.html">
+	<p>This parameter was used to make some identifiers generated by the system
+	unpredictable. For example, it was used as following:</p>
+	<ul><li>To be used as a salt to encrypt passwords stored in the database by
+	the RC4 symmetric key algorithm.
+	<p>Note that RC4 is no longer considered secure enough and is not supported
+	in the current version of Sympa.</p></li>
+	<li>To prevent attackers from sending crafted messages to achieve XSS and
+	so on in message archives.</li></ul>
+	<p>There were the following problems with the use of this parameter.</p>
+	<ol><li>This parameter, for its purpose, should be different for each
+	installation, and once set, it cannot be changed. As a result, some sites
+	have been operating without setting this parameter. This completely
+	invalidates the security measures described above.</li>
+	<li>Even if this parameter is properly set, it may be considered not being
+	strong enough against brute force attacks.</li></ol>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://sympa-community.github.io/security/2021-001.html</url>
+    </references>
+    <dates>
+      <discovery>2021-04-27</discovery>
+      <entry>2021-04-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

More information about the dev-commits-ports-all mailing list