FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.

Affected packages
sympa < 6.2.62

Details

VuXML ID 31a7ffb1-a80a-11eb-b159-f8b156c2bfe9
Discovery 2021-04-27
Entry 2021-04-27

Earlier versions of Sympa require a parameter named cookie in sympa.conf configuration file.

This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following:

There were the following problems with the use of this parameter.

  1. This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above.
  2. Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks.

References

URL https://sympa-community.github.io/security/2021-001.html