FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-02-13 20:06:50 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
0add6e6b-6883-11eb-b0cb-f8b156c2bfe9	sympa -- Unauthorised full access via SOAP API due to illegal cookie Sympa community reports: Unauthorised full access via SOAP API due to illegal cookie Discovery 2020-11-24 Entry 2021-02-06 sympa < 6.2.60 CVE-2020-29668 https://sympa-community.github.io/security/2020-003.html
31a7ffb1-a80a-11eb-b159-f8b156c2bfe9	sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security. Earlier versions of Sympa require a parameter named cookie in sympa.conf configuration file. This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following: To be used as a salt to encrypt passwords stored in the database by the RC4 symmetric key algorithm. Note that RC4 is no longer considered secure enough and is not supported in the current version of Sympa. To prevent attackers from sending crafted messages to achieve XSS and so on in message archives. There were the following problems with the use of this parameter. This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above. Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks. Discovery 2021-04-27 Entry 2021-04-27 sympa < 6.2.62 https://sympa-community.github.io/security/2021-001.html

VuXML ID

Description

0add6e6b-6883-11eb-b0cb-f8b156c2bfe9

sympa -- Unauthorised full access via SOAP API due to illegal cookie

Sympa community reports:

Unauthorised full access via SOAP API due to illegal cookie

Discovery 2020-11-24
Entry 2021-02-06
sympa

< 6.2.60

CVE-2020-29668
https://sympa-community.github.io/security/2020-003.html

31a7ffb1-a80a-11eb-b159-f8b156c2bfe9

sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.

Earlier versions of Sympa require a parameter named cookie in sympa.conf configuration file.

This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following:

To be used as a salt to encrypt passwords stored in the database by the RC4 symmetric key algorithm.
Note that RC4 is no longer considered secure enough and is not supported in the current version of Sympa.

To prevent attackers from sending crafted messages to achieve XSS and so on in message archives.

There were the following problems with the use of this parameter.

This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above.

Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks.

Discovery 2021-04-27
Entry 2021-04-27
sympa

< 6.2.62

https://sympa-community.github.io/security/2021-001.html