Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log

Thu, 15 Dec 2011 05:24:20 -0800 

On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote:
> Hi Olivier,
> 
> On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
> > Package: sympa
> > Version: 5.3.4-6.1
> > Severity: normal
> > 
> > Hi.
> > 
> > I just upgraded one of my servers from etch to lenny and got :
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure 
> > $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, 
> > <IN> line 37.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC 
> > while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 37.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure 
> > $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, 
> > <IN> line 77.
> > [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC 
> > while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, <IN> line 77.
> > in the apache logs.
> 
> This bug seems quite old, and I wonder if it's still valid? It doesn't
> seems to be reproducible with the latest versions of sympa.
> 
> Do you experience it with sympa >= 6.x?

I've upgraded my system to squeeze and installed the sympa package from 
backports as it seems I heard you mention it somewhere ;)

I'm not sure, but I don't think so, for those errors above.

On the other hand, the problem with these warnings :
mod_fcgid: stderr: Insecure dependency in open while running setuid at 
/usr/share/sympa/lib/Lock.pm line 253., referer: 
https://cgt-int.dnsalias.org/wws
mod_fcgid: stderr: Insecure dependency in open while running setuid at 
/usr/share/sympa/lib/List.pm line 9703., referer: 
https://cgt-int.dnsalias.org/wws
is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)

It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in 
that version... so I'm not sure what's wrong....

I don't know if you want to take care about that backports version in this 
ticket.

Thanks in advance if you can ;)

Best regards,

-- 
Olivier BERGER 
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to