CVE-2020-26932

Name of the Vulnerable Software and Affected Versions Debian Sympa package versions prior to 6.2.40~dfsg-7

Description The issue is related to the debian/sympa.postinst component of the Sympa package, which sets incorrect permissions for the sympa newaliases-wrapper. This could allow a remote attacker to impact data integrity. The intended permissions are mode 4750, which allows access by the sympa group, but the current setting is mode 4755.

Recommendations For versions prior to 6.2.40dfsg-7, update to version 6.2.40dfsg-7 or later to resolve the issue. As a temporary workaround, consider changing the permissions of sympa newaliases-wrapper to mode 4750 to restrict access to the sympa group.