Sylvain Beucler

**Name of the Vulnerable Software and Affected Versions** Debian Sympa package versions prior to 6.2.40~dfsg-7 **Description** The issue is related to the debian/sympa.postinst component of the Sympa package, which sets incorrect permissions for the sympa newaliases-wrapper. This could allow a remote attacker to impact data integrity. The intended permissions are mode 4750, which allows access by the sympa group, but the current setting is mode 4755. **Recommendations** For versions prior to 6.2.40~dfsg-7, update to version 6.2.40~dfsg-7 or later to resolve the issue. As a temporary workaround, consider changing the permissions of sympa newaliases-wrapper to mode 4750 to restrict access to the sympa group.

**Name of the Vulnerable Software and Affected Versions** Bash versions prior to 4.4-beta2 **Description** The issue is related to the restricted command interpreter rbash in Bash, which is associated with insufficient checking of the BASH CMDS array values. This could allow an attacker to execute arbitrary commands. The problem arises because rbash does not prevent the shell user from modifying BASH CMDS, thus enabling the user to execute any command with the permissions of the shell. **Recommendations** For versions prior to 4.4-beta2, update to version 4.4-beta2 or later to resolve the issue. As a temporary workaround, consider restricting access to the BASH CMDS array to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DFArc versions prior to 3.14 DFArc2 versions prior to 3.14 Dink Smallwood HD versions prior to 3.14 **Description** The issue is related to directory traversal in the D-Mod extractor, which can be exploited by an attacker to overwrite arbitrary files on the user's system. **Recommendations** For DFArc versions prior to 3.14, update to version 3.14 or later. For DFArc2 versions prior to 3.14, update to version 3.14 or later. For Dink Smallwood HD versions prior to 3.14, update to version 3.14 or later.

**Name of the Vulnerable Software and Affected Versions** GForge versions 4.5.14, 4.7 rc2, 4.8.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on authorized keys files in users' home directories. This is related to the deb-specific/ssh dump update.pl and cronjobs/cvs-cron/ssh create.php scripts. **Recommendations** For version 4.5.14, consider restricting access to the ssh dump update.pl script until a fix is available. For version 4.7 rc2, avoid using the ssh create.php script in cronjobs/cvs-cron until the issue is resolved. For version 4.8.2, as a temporary workaround, consider disabling the execution of cronjobs/cvs-cron/ssh create.php to minimize the risk of exploitation.