Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Same problem!? Upgraded from sympa 5.4 to sympa_6.1.7~dfsg-2 Now wwsympa doesn't work any more. I got a lot of Insecure errors when running setuid in the logs, repeated many times. This are only the first and last lines ... [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Insecure dependency in sprintf while running setuid at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Use of uninitialized value $_[0] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Use of uninitialized value $_[1] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. many others --- [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in require while running setuid at /usr/lib/perl5/Template/Plugins.pm line 29. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in require while running setuid at /usr/lib/perl5/Template/Filters.pm line 22. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: incomplete headers (0 bytes) received from server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi My configs: /etc/apache2/conf.d/sympa # Apache configuration file for Sympa Alias /static-sympa /var/lib/sympa/static_content ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fc /etc/apache2/mods-available/fastcgi.conf IfModule mod_fastcgi.c AddHandler fastcgi-script .fcgi FastCgiConfig -idle-timeout 120 FastCgiIpcDir /var/lib/apache2/fastcgi /IfModule in virtual host apache config ... Location /wws Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all /Location any help would be very appreciated! Thanks Giorgio
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Dear all,
This problem showed up recently and was fixed upstream:
https://sourcesup.cru.fr/scm/viewvc.php?view=revisionroot=symparevision=7215
I'm not sure whether this patch was already included in a new stable
version but I'll tag the 6.1.8 pretty soon, so you will be able to add
it to the Debian package.
Cheers,
David
Le 15/12/11 14:21, Olivier Berger a écrit :
On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote:
Hi Olivier,
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 77.
in the apache logs.
This bug seems quite old, and I wonder if it's still valid? It doesn't
seems to be reproducible with the latest versions of sympa.
Do you experience it with sympa= 6.x?
I've upgraded my system to squeeze and installed the sympa package from
backports as it seems I heard you mention it somewhere ;)
I'm not sure, but I don't think so, for those errors above.
On the other hand, the problem with these warnings :
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/Lock.pm line 253., referer:
https://cgt-int.dnsalias.org/wws
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/List.pm line 9703., referer:
https://cgt-int.dnsalias.org/wws
is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in
that version... so I'm not sure what's wrong
I don't know if you want to take care about that backports version in this
ticket.
Thanks in advance if you can ;)
Best regards,
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Mon, Dec 19, 2011 at 09:39:54PM +0100, Emmanuel Bouthenot wrote: Hi Olivier, On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote: [...] I'm not sure, but I don't think so, for those errors above. On the other hand, the problem with these warnings : mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1) That's weird, I've never encountered such errors. Could tell me more about your apache/fcgid setup for wwsympa? OK : I have libapache2-mod-fcgid (1:2.3.6-1) and libapache2-mod-fastcgi (2.4.6-1) installed. But : # apache2ctl -t -D DUMP_MODULES apache2: Could not reliably determine the server's fully qualified domain name, ... Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) fcgid_module (shared) info_module (shared) mime_module (shared) negotiation_module (shared) reqtimeout_module (shared) setenvif_module (shared) ssl_module (shared) status_module (shared) Syntax OK and : IfModule mod_fcgid.c AddHandlerfcgid-script .fcgi FcgidConnectTimeout 20 /IfModule in /etc/apache2/mods-enabled/fcgid.conf and : Alias /static-sympa /var/lib/sympa/static_content ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi in /etc/apache2/conf.d/sympa Dunno what else I could tell... It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong If I remember well, sudo wrapper was dropped from upstream sources about 2 years ago :) Indeed... I was just having a look at the initial exchanges on that quite old (too) ticket ;) I don't know if you want to take care about that backports version in this ticket. I will try to fix every bug I can reproduce :) Thanks alot. Tell me if you need additional details. Best regards, -- Olivier BERGER http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier,
On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote:
[...]
I'm not sure, but I don't think so, for those errors above.
On the other hand, the problem with these warnings :
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/Lock.pm line 253., referer:
https://cgt-int.dnsalias.org/wws
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/List.pm line 9703., referer:
https://cgt-int.dnsalias.org/wws
is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
That's weird, I've never encountered such errors. Could tell me more
about your apache/fcgid setup for wwsympa?
It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not
distributed in that version... so I'm not sure what's wrong
If I remember well, sudo wrapper was dropped from upstream sources about
2 years ago :)
I don't know if you want to take care about that backports version in this
ticket.
I will try to fix every bug I can reproduce :)
M.
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3
xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote:
Hi Olivier,
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,
IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,
IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
This bug seems quite old, and I wonder if it's still valid? It doesn't
seems to be reproducible with the latest versions of sympa.
Do you experience it with sympa = 6.x?
I've upgraded my system to squeeze and installed the sympa package from
backports as it seems I heard you mention it somewhere ;)
I'm not sure, but I don't think so, for those errors above.
On the other hand, the problem with these warnings :
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/Lock.pm line 253., referer:
https://cgt-int.dnsalias.org/wws
mod_fcgid: stderr: Insecure dependency in open while running setuid at
/usr/share/sympa/lib/List.pm line 9703., referer:
https://cgt-int.dnsalias.org/wws
is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in
that version... so I'm not sure what's wrong
I don't know if you want to take care about that backports version in this
ticket.
Thanks in advance if you can ;)
Best regards,
--
Olivier BERGER
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier,
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
This bug seems quite old, and I wonder if it's still valid? It doesn't
seems to be reproducible with the latest versions of sympa.
Do you experience it with sympa = 6.x?
I think that we can safely close it but I will be glad to get your
opinion.
Regards,
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3
xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier,
I might provide some useful informations :
* first line of wwsympa.fcgi should look like #!/usr/bin/perl -U.
If the -U option is missing, it might be the reason why you get
these warnings/errors
* Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses
sudo. Do you use it?
* Sympa 5.4 introduced a C wrapper for wwsympa.fcgi. Do you use it?
Did you check the related documentation
http://www.sympa.org/manual/web-interface#web_server_setup ?
Olivier Berger a écrit :
title 516164 Several Insecure errors when running setuid in apache error log
thanks
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
There's actually unfortunately more than these 2 :
# grep Insecure dependency /var/log/apache2/error.log | sed
's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u
Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm
line 10148.
Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm
line 203.
Hope this helps.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Le vendredi 20 février 2009 à 11:22 +0100, Olivier Salaün a écrit : Hi Olivier, I might provide some useful informations : * first line of wwsympa.fcgi should look like #!/usr/bin/perl -U. If the -U option is missing, it might be the reason why you get these warnings/errors It's there, though : # head -n 1 /usr/lib/cgi-bin/sympa/wwsympa.fcgi #!/usr/bin/perl -U So maybe these are just warnings, although they're reported as [error]... but I guess there's nothing Apache can do to distinguish warnings from errors here... So maybe this means that it works anyway as expected, then (although not really perfectly secure in perl's opinion). I tried and run it with #!/usr/bin/perl -U -X and the're gone... so indeed seems it was only warnings ? * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. * Sympa 5.4 introduced a C wrapper for wwsympa.fcgi. Do you use it? No... will have to wait until lenny+1 I guess. Did you check the related documentation http://www.sympa.org/manual/web-interface#web_server_setup ? I'll certainly have a look. Thanks for your help. Regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote: * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. I've tried with the wrapper and this gives much better results, without errors reported. Here are the necessary changes : In /etc/sudoers : www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi and in /etc/apache2/conf.d/sympa : ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl Maybe this should be the default, when no fastcgi is activated ? Hope this helps, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Fri, Feb 20, 2009 at 02:40:58PM +0100, Olivier Berger wrote: On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote: * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. I've tried with the wrapper and this gives much better results, without errors reported. Here are the necessary changes : In /etc/sudoers : www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi and in /etc/apache2/conf.d/sympa : ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl One more element also, which I didn't notice initially... the environment variables are trashed with the default /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl provided in the package. So the CGI execution won't be really working, losing its base URL for instance. It seems that having a supplemental -E option in the sudo command as well as the SETENV: flag in sudoers helps also : In /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl : exec '/usr/bin/sudo', '-E', '-u', 'sympa', '/usr/lib/cgi-bin/sympa/wwsympa.fcgi'; In /etc/sudoers (visudo) : www-data ALL = (sympa) SETENV: NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi Again : Maybe this should be the default, when no fastcgi is activated ? Hope this helps, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH}
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH}
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
Dunno what's wrong actually :(
Best regards,
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sympa depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0]1.5.24 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.69-9 lightweight Exim MTA (v4) daemon
pn libarchive-zip-perl none (no description available)
ii libc62.7-18 GNU C Library: Shared libraries
pn libcgi-fast-perl none (no description available)
pn libcrypt-ciphersaber-perlnone (no description available)
ii libdbd-mysql-perl4.007-1 A Perl5 database interface to the
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
ii libintl-perl 1.16-4 Uniforum message translations syst
ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a
ii libmailtools-perl2.03-1 Manipulate email in perl programs
pn libmd5-perl none (no description available)
ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn libmsgcat-perl none (no description available)
pn libnet-ldap-perl none (no description available)
pn libtemplate-perl none (no description available)
ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li
pn mhonarc none (no description available)
ii perl [libmime-base64-perl] 5.10.0-19 Larry Wall's Practical Extraction
pn perl-suidnone (no description available)
ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon
Versions of packages sympa recommends:
ii doc-base 0.8.20 utilities to manage online documen
ii logrotate 3.7.1-5Log rotation utility
Versions of packages sympa suggests:
ii apache2-mpm-prefork [htt 2.2.9-10+lenny2 Apache HTTP Server - traditional n
pn libapache-mod-fastcginone (no description available)
ii mysql-server 5.0.51a-24 MySQL database server (metapackage
ii mysql-server-5.0 [mysql- 5.0.51a-24 MySQL database server binaries
ii openssl 0.9.8g-15 Secure Socket Layer (SSL) binary a
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
Dunno what's wrong actually :(
What is your exact setup in Apache? Is it merely a warning or Sympa stops to
work?
Regards
Racke
--
LinuXia Systems = http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP = http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
Dunno what's wrong actually :(
OK, found :
# grep /bin/cat /etc/sympa/sympa.conf
syslog `/bin/cat /etc/sympa/facility`
cookie `/bin/cat /etc/sympa/cookie`
... OK, I can patch that, then.
But that doesn't help fix that for good.
Hope this helps,
Regards,
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger wrote:
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
Package: sympa
Version: 5.3.4-6.1
Severity: normal
Hi.
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while
running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
Dunno what's wrong actually :(
OK, found :
# grep /bin/cat /etc/sympa/sympa.conf
syslog `/bin/cat /etc/sympa/facility`
cookie `/bin/cat /etc/sympa/cookie`
... OK, I can patch that, then.
But that doesn't help fix that for good.
Sympa configuration really needs include.
Regards
Racke
--
LinuXia Systems = http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP = http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
title 516164 Several Insecure errors when running setuid in apache error log
thanks
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote:
I just upgraded one of my servers from etch to lenny and got :
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure
$ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN
line 77.
[Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC
while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77.
in the apache logs.
There's actually unfortunately more than these 2 :
# grep Insecure dependency /var/log/apache2/error.log | sed
's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u
Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm
line 10148.
Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm
line 203.
Hope this helps.
Regards,
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Le jeudi 19 février 2009 à 17:40 +0100, Olivier Berger a écrit : There's actually unfortunately more than these 2 : # grep Insecure dependency /var/log/apache2/error.log | sed 's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm line 10148. Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm line 203. Hope this helps. FYI, this happened when I tested with a setup without FastCGI activated. Btw, I've also tested if there's a workaround using FastCGI, but it refused to work (crashing somehow)... but that's another story I guess. Damn'it... at least the mail pipes are working, so mailing-lists are operating even though the web interface is down. Regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
