Date: Wed, 28 Apr 2021 16:59:06 GMT From: Neel Chauhan <nc@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 10ad22f83cf7 - main - mail/sympa: add vuxml entry Message-ID: <202104281659.13SGx6I0050325@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by nc: URL: https://cgit.FreeBSD.org/ports/commit/?id=10ad22f83cf7c9a495f3f04c822e2b63ee580215 commit 10ad22f83cf7c9a495f3f04c822e2b63ee580215 Author: Neel Chauhan <nc@FreeBSD.org> AuthorDate: 2021-04-28 16:56:22 +0000 Commit: Neel Chauhan <nc@FreeBSD.org> CommitDate: 2021-04-28 16:56:22 +0000 mail/sympa: add vuxml entry PR: 255455 Submitted by: Geoffroy Desvernay <dgeo@centrale-marseille.fr> (maintainer) --- security/vuxml/vuln.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7a8b0a201a25..1c57d6d1662d 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9"> + <topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic> + <affects> + <package> + <name>sympa</name> + <range><lt>6.2.62</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Earlier versions of Sympa require a parameter named cookie in sympa.conf + configuration file.</p> + <blockquote cite="https://sympa-community.github.io/security/2021-001.html">; + <p>This parameter was used to make some identifiers generated by the system + unpredictable. For example, it was used as following:</p> + <ul><li>To be used as a salt to encrypt passwords stored in the database by + the RC4 symmetric key algorithm. + <p>Note that RC4 is no longer considered secure enough and is not supported + in the current version of Sympa.</p></li> + <li>To prevent attackers from sending crafted messages to achieve XSS and + so on in message archives.</li></ul> + <p>There were the following problems with the use of this parameter.</p> + <ol><li>This parameter, for its purpose, should be different for each + installation, and once set, it cannot be changed. As a result, some sites + have been operating without setting this parameter. This completely + invalidates the security measures described above.</li> + <li>Even if this parameter is properly set, it may be considered not being + strong enough against brute force attacks.</li></ol> + </blockquote> + </body> + </description> + <references> + <url>https://sympa-community.github.io/security/2021-001.html</url>; + </references> + <dates> + <discovery>2021-04-27</discovery> + <entry>2021-04-27</entry> + </dates> + </vuln> + <vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17"> <topic>chromium -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104281659.13SGx6I0050325>