Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Same problem!? Upgraded from sympa 5.4 to sympa_6.1.7~dfsg-2 Now wwsympa doesn't work any more. I got a lot of Insecure errors when running setuid in the logs, repeated many times. This are only the first and last lines ... [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Insecure dependency in sprintf while running setuid at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Use of uninitialized value $_[0] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Use of uninitialized value $_[1] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm line 368. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stder r: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 255. many others --- [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in require while running setuid at /usr/lib/perl5/Template/Plugins.pm line 29. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi stderr: Insecure dependency in require while running setuid at /usr/lib/perl5/Template/Filters.pm line 22. [Sat Jan 07 17:05:18 2012] [error] [client 151.49.48.182] FastCGI: incomplete headers (0 bytes) received from server /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi My configs: /etc/apache2/conf.d/sympa # Apache configuration file for Sympa Alias /static-sympa /var/lib/sympa/static_content ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fc /etc/apache2/mods-available/fastcgi.conf IfModule mod_fastcgi.c AddHandler fastcgi-script .fcgi FastCgiConfig -idle-timeout 120 FastCgiIpcDir /var/lib/apache2/fastcgi /IfModule in virtual host apache config ... Location /wws Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all /Location any help would be very appreciated! Thanks Giorgio
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Dear all, This problem showed up recently and was fixed upstream: https://sourcesup.cru.fr/scm/viewvc.php?view=revisionroot=symparevision=7215 I'm not sure whether this patch was already included in a new stable version but I'll tag the 6.1.8 pretty soon, so you will be able to add it to the Debian package. Cheers, David Le 15/12/11 14:21, Olivier Berger a écrit : On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote: Hi Olivier, On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295,IN line 77. in the apache logs. This bug seems quite old, and I wonder if it's still valid? It doesn't seems to be reproducible with the latest versions of sympa. Do you experience it with sympa= 6.x? I've upgraded my system to squeeze and installed the sympa package from backports as it seems I heard you mention it somewhere ;) I'm not sure, but I don't think so, for those errors above. On the other hand, the problem with these warnings : mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1) It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong I don't know if you want to take care about that backports version in this ticket. Thanks in advance if you can ;) Best regards, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Mon, Dec 19, 2011 at 09:39:54PM +0100, Emmanuel Bouthenot wrote: Hi Olivier, On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote: [...] I'm not sure, but I don't think so, for those errors above. On the other hand, the problem with these warnings : mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1) That's weird, I've never encountered such errors. Could tell me more about your apache/fcgid setup for wwsympa? OK : I have libapache2-mod-fcgid (1:2.3.6-1) and libapache2-mod-fastcgi (2.4.6-1) installed. But : # apache2ctl -t -D DUMP_MODULES apache2: Could not reliably determine the server's fully qualified domain name, ... Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) fcgid_module (shared) info_module (shared) mime_module (shared) negotiation_module (shared) reqtimeout_module (shared) setenvif_module (shared) ssl_module (shared) status_module (shared) Syntax OK and : IfModule mod_fcgid.c AddHandlerfcgid-script .fcgi FcgidConnectTimeout 20 /IfModule in /etc/apache2/mods-enabled/fcgid.conf and : Alias /static-sympa /var/lib/sympa/static_content ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi in /etc/apache2/conf.d/sympa Dunno what else I could tell... It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong If I remember well, sudo wrapper was dropped from upstream sources about 2 years ago :) Indeed... I was just having a look at the initial exchanges on that quite old (too) ticket ;) I don't know if you want to take care about that backports version in this ticket. I will try to fix every bug I can reproduce :) Thanks alot. Tell me if you need additional details. Best regards, -- Olivier BERGER http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier, On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote: [...] I'm not sure, but I don't think so, for those errors above. On the other hand, the problem with these warnings : mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1) That's weird, I've never encountered such errors. Could tell me more about your apache/fcgid setup for wwsympa? It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong If I remember well, sudo wrapper was dropped from upstream sources about 2 years ago :) I don't know if you want to take care about that backports version in this ticket. I will try to fix every bug I can reproduce :) M. -- Emmanuel Bouthenot mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3 xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Mon, Nov 28, 2011 at 11:06:27PM +0100, Emmanuel Bouthenot wrote: Hi Olivier, On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. This bug seems quite old, and I wonder if it's still valid? It doesn't seems to be reproducible with the latest versions of sympa. Do you experience it with sympa = 6.x? I've upgraded my system to squeeze and installed the sympa package from backports as it seems I heard you mention it somewhere ;) I'm not sure, but I don't think so, for those errors above. On the other hand, the problem with these warnings : mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1) It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not distributed in that version... so I'm not sure what's wrong I don't know if you want to take care about that backports version in this ticket. Thanks in advance if you can ;) Best regards, -- Olivier BERGER http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier, On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. This bug seems quite old, and I wonder if it's still valid? It doesn't seems to be reproducible with the latest versions of sympa. Do you experience it with sympa = 6.x? I think that we can safely close it but I will be glad to get your opinion. Regards, -- Emmanuel Bouthenot mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3 xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Hi Olivier, I might provide some useful informations : * first line of wwsympa.fcgi should look like #!/usr/bin/perl -U. If the -U option is missing, it might be the reason why you get these warnings/errors * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? * Sympa 5.4 introduced a C wrapper for wwsympa.fcgi. Do you use it? Did you check the related documentation http://www.sympa.org/manual/web-interface#web_server_setup ? Olivier Berger a écrit : title 516164 Several Insecure errors when running setuid in apache error log thanks On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. There's actually unfortunately more than these 2 : # grep Insecure dependency /var/log/apache2/error.log | sed 's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm line 10148. Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm line 203. Hope this helps. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Le vendredi 20 février 2009 à 11:22 +0100, Olivier Salaün a écrit : Hi Olivier, I might provide some useful informations : * first line of wwsympa.fcgi should look like #!/usr/bin/perl -U. If the -U option is missing, it might be the reason why you get these warnings/errors It's there, though : # head -n 1 /usr/lib/cgi-bin/sympa/wwsympa.fcgi #!/usr/bin/perl -U So maybe these are just warnings, although they're reported as [error]... but I guess there's nothing Apache can do to distinguish warnings from errors here... So maybe this means that it works anyway as expected, then (although not really perfectly secure in perl's opinion). I tried and run it with #!/usr/bin/perl -U -X and the're gone... so indeed seems it was only warnings ? * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. * Sympa 5.4 introduced a C wrapper for wwsympa.fcgi. Do you use it? No... will have to wait until lenny+1 I guess. Did you check the related documentation http://www.sympa.org/manual/web-interface#web_server_setup ? I'll certainly have a look. Thanks for your help. Regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote: * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. I've tried with the wrapper and this gives much better results, without errors reported. Here are the necessary changes : In /etc/sudoers : www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi and in /etc/apache2/conf.d/sympa : ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl Maybe this should be the default, when no fastcgi is activated ? Hope this helps, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Fri, Feb 20, 2009 at 02:40:58PM +0100, Olivier Berger wrote: On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote: * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses sudo. Do you use it? Nope... the wrapper is provided in the Debian package but not used in the default setup. I've tried with the wrapper and this gives much better results, without errors reported. Here are the necessary changes : In /etc/sudoers : www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi and in /etc/apache2/conf.d/sympa : ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl One more element also, which I didn't notice initially... the environment variables are trashed with the default /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl provided in the package. So the CGI execution won't be really working, losing its base URL for instance. It seems that having a supplemental -E option in the sudo command as well as the SETENV: flag in sudoers helps also : In /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl : exec '/usr/bin/sudo', '-E', '-u', 'sympa', '/usr/lib/cgi-bin/sympa/wwsympa.fcgi'; In /etc/sudoers (visudo) : www-data ALL = (sympa) SETENV: NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi Again : Maybe this should be the default, when no fastcgi is activated ? Hope this helps, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. Dunno what's wrong actually :( Best regards, -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sympa depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0]1.5.24 Debian configuration management sy ii exim4-daemon-light [mail-tra 4.69-9 lightweight Exim MTA (v4) daemon pn libarchive-zip-perl none (no description available) ii libc62.7-18 GNU C Library: Shared libraries pn libcgi-fast-perl none (no description available) pn libcrypt-ciphersaber-perlnone (no description available) ii libdbd-mysql-perl4.007-1 A Perl5 database interface to the ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module ii libintl-perl 1.16-4 Uniforum message translations syst ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a ii libmailtools-perl2.03-1 Manipulate email in perl programs pn libmd5-perl none (no description available) ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m pn libmsgcat-perl none (no description available) pn libnet-ldap-perl none (no description available) pn libtemplate-perl none (no description available) ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li pn mhonarc none (no description available) ii perl [libmime-base64-perl] 5.10.0-19 Larry Wall's Practical Extraction pn perl-suidnone (no description available) ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon Versions of packages sympa recommends: ii doc-base 0.8.20 utilities to manage online documen ii logrotate 3.7.1-5Log rotation utility Versions of packages sympa suggests: ii apache2-mpm-prefork [htt 2.2.9-10+lenny2 Apache HTTP Server - traditional n pn libapache-mod-fastcginone (no description available) ii mysql-server 5.0.51a-24 MySQL database server (metapackage ii mysql-server-5.0 [mysql- 5.0.51a-24 MySQL database server binaries ii openssl 0.9.8g-15 Secure Socket Layer (SSL) binary a -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. Dunno what's wrong actually :( What is your exact setup in Apache? Is it merely a warning or Sympa stops to work? Regards Racke -- LinuXia Systems = http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP = http://www.icdevgroup.org/ Interchange Development Team -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. Dunno what's wrong actually :( OK, found : # grep /bin/cat /etc/sympa/sympa.conf syslog `/bin/cat /etc/sympa/facility` cookie `/bin/cat /etc/sympa/cookie` ... OK, I can patch that, then. But that doesn't help fix that for good. Hope this helps, Regards, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger wrote: On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: Package: sympa Version: 5.3.4-6.1 Severity: normal Hi. I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. Dunno what's wrong actually :( OK, found : # grep /bin/cat /etc/sympa/sympa.conf syslog `/bin/cat /etc/sympa/facility` cookie `/bin/cat /etc/sympa/cookie` ... OK, I can patch that, then. But that doesn't help fix that for good. Sympa configuration really needs include. Regards Racke -- LinuXia Systems = http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP = http://www.icdevgroup.org/ Interchange Development Team -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
title 516164 Several Insecure errors when running setuid in apache error log thanks On Thu, Feb 19, 2009 at 05:12:30PM +0100, Olivier Berger wrote: I just upgraded one of my servers from etch to lenny and got : [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 37. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure $ENV{PATH} while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. [Thu Feb 19 17:05:34 2009] [error] [client xxx.xxx.xxx.xxx] Insecure EXEC while running setuid at /usr/lib/sympa/bin/Conf.pm line 295, IN line 77. in the apache logs. There's actually unfortunately more than these 2 : # grep Insecure dependency /var/log/apache2/error.log | sed 's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm line 10148. Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm line 203. Hope this helps. Regards, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Le jeudi 19 février 2009 à 17:40 +0100, Olivier Berger a écrit : There's actually unfortunately more than these 2 : # grep Insecure dependency /var/log/apache2/error.log | sed 's/.*Insecure/Insecure/g' | sed 's/, referer.*//g' | sort -u Insecure dependency in open while running setuid at /usr/lib/sympa/bin/List.pm line 10148. Insecure dependency in open while running setuid at /usr/lib/sympa/bin/Lock.pm line 203. Hope this helps. FYI, this happened when I tested with a setup without FastCGI activated. Btw, I've also tested if there's a workaround using FastCGI, but it refused to work (crashing somehow)... but that's another story I guess. Damn'it... at least the mail pipes are working, so mailing-lists are operating even though the web interface is down. Regards, -- Olivier BERGER olivier.ber...@it-sudparis.eu http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org