Package: sympa Version: 6.2.40~dfsg-1+deb10u1 Severity: important Dear Maintainer, After installation of the security update the web isterface is defunct. It still loads the "default" site (here: https://$DOMAIN/wws/) but that also the site that will be loaded when selecting an menue entry, for example "Login". (IOW, Login not possible as the login form is not presented) Downgrading to 6.2.40~dfsg-1 makes it work again. Webserver is an nginx instance. The only hint I got (could be a red herring) is this in the nginx error log, the sympa log is silent… Heres a example of the nginx one: (There are many of those…) 2020/12/27 12:13:57 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M [Sun Dec 27 12:13:57 2020] wwsympa.fcgi: Use of uninitialized value $remote_addr in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408" while reading upstream, client: 80.209.204.233, server: lists.regensburg-repariert.de, request: "GET /wws/reviewbouncing/info HTTP/2.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: "lists.regensburg-repariert.de" 2020/12/27 12:14:21 [error] 8193#8193: *2819965 FastCGI sent in stderr: "[Sun Dec 27 12:14:21 2020] wwsympa.fcgi: Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/WWW/Session.pm line 408.^M (Those started exactly on Dec 24, after unattende-upgrades pulled in the security update) Let me know if I can provide more information… Cheers,
Yes, please share the part of your Nginx configuration with regards to Sympa and your WWSympa FCGI service setup.
If you use the wwsympa wrapper, please drop it.
Regards
Racke
Yes, please share the part of your Nginx configuration with regards to Sympa and your WWSympa FCGI service setup.
If you use the wwsympa wrapper, please drop it.
Regards
Racke
Hi, This looks like a duplicate of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972189#45 In the buster version though, CGI mode (which fcgiwrap emulates) was removed from Sympa hence why I didn't add the same NEWS note as in stretch. It looks like this was still working somehow. For the record here is the NEWS note: The fix for the CVE-2020-10936 security issue forced us to drop CGI mode for wwsympa earlier than officially (6.2.24). In particular, users of nginx+fcgiwrap are invited to switch to nginx+spawn-fcgi: https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html See also: https://bugs.debian.org/972189 https://github.com/sympa-community/sympa/issues/1020 Cheers! Sylvain
Hi Racke, thanks for your quick mail and sorry for the late reply, didn't find time until now. Am Thu, Dec 31, 2020 at 06:17:45PM +0100 schrieb Stefan Hornburg (Racke): This is probably the hint I needed. Did not find time to evaluate properly, but my config looks like the one on https://wiki.debian.org/Sympa/Nginx (I probably stole it from there :)), and I guess the line fastcgi_param SCRIPT_FILENAME $document_root/wwsympa-wrapper.fcgi; is saying that I'm indeed using the said wrapper… it will take me a few more days until I'll be able to check if updating my configuration fill fix it, but I'll send an update to the BTS… Cheers, tobi
Hi Racke, thanks for your quick mail and sorry for the late reply, didn't find time until now. Am Thu, Dec 31, 2020 at 06:17:45PM +0100 schrieb Stefan Hornburg (Racke): This is probably the hint I needed. Did not find time to evaluate properly, but my config looks like the one on https://wiki.debian.org/Sympa/Nginx (I probably stole it from there :)), and I guess the line fastcgi_param SCRIPT_FILENAME $document_root/wwsympa-wrapper.fcgi; is saying that I'm indeed using the said wrapper… it will take me a few more days until I'll be able to check if updating my configuration fill fix it, but I'll send an update to the BTS… Cheers, tobi
Hello Tobi,
thanks for the update. I'll try to find time to correct that page and/or include a Nginx snippet into the
Debian package.
Regards
Racke
Hello Tobi,
thanks for the update. I'll try to find time to correct that page and/or include a Nginx snippet into the
Debian package.
Regards
Racke
Hi! I've updated https://wiki.debian.org/Sympa/Nginx page with new instruction that is suitable for newer debians. I actually run sympa on my Debian Buster using this configuration, and I expect it to work on Bullseye and latter versions. This configuration uses systemd to spawn cgi-wrapper activated by socket read. This way is actually advised by spawn-fcgi authors (https:// redmine.lighttpd.net/projects/spawn-fcgi/wiki/Systemd) I would suggest to use this solution to be added to the sympa package, when installation with nginx is choosen. spawn-fcgi is really not needed here.