Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#978932: sympa: webinterface broken after installing 6.2.40~dfsg-1+deb10u1
34 views
Skip to first unread message
Tobias Frost
Dec 31, 2020, 11:50:04 AM12/31/20
to
Package: sympa
Version: 6.2.40~dfsg-1+deb10u1
Severity: important
Dear Maintainer,
After installation of the security update the web isterface is defunct.
It still loads the "default" site (here: https://$DOMAIN/wws/) but that also
the site that will be loaded when selecting an menue entry, for example "Login".
(IOW, Login not possible as the login form is not presented)
Downgrading to 6.2.40~dfsg-1 makes it work again.
Webserver is an nginx instance.
The only hint I got (could be a red herring) is this in the nginx error log,
the sympa log is silent…
Heres a example of the nginx one:
(There are many of those…)
2020/12/27 12:13:57 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M
[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value $remote_addr in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408" while reading upstream, client: 80.209.204.233, server: lists.regensburg-repariert.de, request: "GET /wws/reviewbouncing/info HTTP/2.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: "lists.regensburg-repariert.de"
2020/12/27 12:14:21 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:14:21 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M
(Those started exactly on Dec 24, after unattende-upgrades pulled in the security update)
Let me know if I can provide more information…
Cheers,
--
tobi
Version: 6.2.40~dfsg-1+deb10u1
Severity: important
Dear Maintainer,
After installation of the security update the web isterface is defunct.
It still loads the "default" site (here: https://$DOMAIN/wws/) but that also
the site that will be loaded when selecting an menue entry, for example "Login".
(IOW, Login not possible as the login form is not presented)
Downgrading to 6.2.40~dfsg-1 makes it work again.
Webserver is an nginx instance.
The only hint I got (could be a red herring) is this in the nginx error log,
the sympa log is silent…
Heres a example of the nginx one:
(There are many of those…)
2020/12/27 12:13:57 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M
[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value $remote_addr in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408" while reading upstream, client: 80.209.204.233, server: lists.regensburg-repariert.de, request: "GET /wws/reviewbouncing/info HTTP/2.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: "lists.regensburg-repariert.de"
2020/12/27 12:14:21 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:14:21 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M
(Those started exactly on Dec 24, after unattende-upgrades pulled in the security update)
Let me know if I can provide more information…
Cheers,
--
tobi
Stefan Hornburg (Racke)
Dec 31, 2020, 12:30:04 PM12/31/20
to
If you use the wwsympa wrapper, please drop it.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
Sylvain Beucler
Jan 2, 2021, 12:10:04 PM1/2/21
to
Hi,
This looks like a duplicate of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189#45
In the buster version though, CGI mode (which fcgiwrap emulates) was
removed from Sympa hence why I didn't add the same NEWS note as in
stretch. It looks like this was still working somehow.
For the record here is the NEWS note:
The fix for the CVE-2020-10936 security issue forced us to drop CGI
mode for wwsympa earlier than officially (6.2.24).
In particular, users of nginx+fcgiwrap are invited to switch to
nginx+spawn-fcgi:
https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html
See also:
https://bugs.debian.org/972189
https://github.com/sympa-community/sympa/issues/1020
Cheers!
Sylvain
This looks like a duplicate of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189#45
In the buster version though, CGI mode (which fcgiwrap emulates) was
removed from Sympa hence why I didn't add the same NEWS note as in
stretch. It looks like this was still working somehow.
For the record here is the NEWS note:
The fix for the CVE-2020-10936 security issue forced us to drop CGI
mode for wwsympa earlier than officially (6.2.24).
In particular, users of nginx+fcgiwrap are invited to switch to
nginx+spawn-fcgi:
https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html
See also:
https://bugs.debian.org/972189
https://github.com/sympa-community/sympa/issues/1020
Cheers!
Sylvain
Tobias Frost
Jan 10, 2021, 12:40:04 PM1/10/21
to
Hi Racke,
thanks for your quick mail and sorry for the late reply, didn't find time until
now.
Am Thu, Dec 31, 2020 at 06:17:45PM +0100 schrieb Stefan Hornburg (Racke):
> Yes, please share the part of your Nginx configuration with regards to Sympa and your WWSympa FCGI service setup.
> If you use the wwsympa wrapper, please drop it.
This is probably the hint I needed. Did not find time to evaluate properly, but my config looks like the one on
https://wiki.debian.org/Sympa/Nginx (I probably stole it from there :)), and I guess the line
fastcgi_param SCRIPT_FILENAME $document_root/wwsympa-wrapper.fcgi;
is saying that I'm indeed using the said wrapper…
it will take me a few more days until I'll be able to check if updating
my configuration fill fix it, but I'll send an update to the BTS…
Cheers,
tobi
thanks for your quick mail and sorry for the late reply, didn't find time until
now.
Am Thu, Dec 31, 2020 at 06:17:45PM +0100 schrieb Stefan Hornburg (Racke):
> Yes, please share the part of your Nginx configuration with regards to Sympa and your WWSympa FCGI service setup.
> If you use the wwsympa wrapper, please drop it.
https://wiki.debian.org/Sympa/Nginx (I probably stole it from there :)), and I guess the line
fastcgi_param SCRIPT_FILENAME $document_root/wwsympa-wrapper.fcgi;
is saying that I'm indeed using the said wrapper…
it will take me a few more days until I'll be able to check if updating
my configuration fill fix it, but I'll send an update to the BTS…
Cheers,
tobi
Nikolay Shaplov
Mar 6, 2023, 1:00:05 PM3/6/23
to
Hi!
I've updated https://wiki.debian.org/Sympa/Nginx page with new instruction
that is suitable for newer debians.
I actually run sympa on my Debian Buster using this configuration, and I
expect it to work on Bullseye and latter versions.
This configuration uses systemd to spawn cgi-wrapper activated by socket read.
This way is actually advised by spawn-fcgi authors (https://
redmine.lighttpd.net/projects/spawn-fcgi/wiki/Systemd)
I would suggest to use this solution to be added to the sympa package, when
installation with nginx is choosen. spawn-fcgi is really not needed here.
--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su
I've updated https://wiki.debian.org/Sympa/Nginx page with new instruction
that is suitable for newer debians.
I actually run sympa on my Debian Buster using this configuration, and I
expect it to work on Bullseye and latter versions.
This configuration uses systemd to spawn cgi-wrapper activated by socket read.
This way is actually advised by spawn-fcgi authors (https://
redmine.lighttpd.net/projects/spawn-fcgi/wiki/Systemd)
I would suggest to use this solution to be added to the sympa package, when
installation with nginx is choosen. spawn-fcgi is really not needed here.
--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su
0 new messages