PT-2019-5774 · Debian · Sympa
Sylvain Beucler
·
Published
2019-01-08
·
Updated
2022-11-08
·
CVE-2020-26932
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Debian Sympa package versions prior to 6.2.40~dfsg-7
Description
The issue is related to the debian/sympa.postinst component of the Sympa package, which sets incorrect permissions for the sympa newaliases-wrapper. This could allow a remote attacker to impact data integrity. The intended permissions are mode 4750, which allows access by the sympa group, but the current setting is mode 4755.
Recommendations
For versions prior to 6.2.40dfsg-7, update to version 6.2.40dfsg-7 or later to resolve the issue. As a temporary workaround, consider changing the permissions of sympa newaliases-wrapper to mode 4750 to restrict access to the sympa group.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sympa