=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN609
_____________________________________________________________________

DATE                      : 22/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sympa versions prior to 5.4.4.

======================================================================
https://listes.cru.fr/sympa/arc/sympa-announce/2008-12/msg00000.html
______________________________________________________________________

It looks like you were all good girls and boys this year, as Santa brought
you a brand new Sympa to the Christmas tree. :)

Sympa 5.4.4 was released today. You can download it here:

http://www.sympa.org/distribution/sympa-5.4.4.tar.gz

With this version, which will probably be the last of the 5.x branch
of development, come a lot of bug fixes and updated translations.

Some of the bugs were security breaches, so we encourage you to update
your servers reasonably soon.
Amongst these bug fixes, you will the solution to the following problems:

- Sympa was not fully compliant to the RFC 2616, leading for example to
possible unwanted list deletion by administrators using prefetching tools.
This was fixed by replacing all the threatening GET requests by POST
requests;
- Use of sprint() function for creating SQL queries lead to possible SQL
injection through cookie manipulation;
- The use of files in /tmp lead to vulnerabilities;
- And so on.

The internationalization was improved for several languages:

 * Modern chinese, thanks to M. Smith,
 * Vietnamese, thanks to C. Siddall,
 * Russian, thanks to Chernysh,
 * Bokmål, thanks to B.C. Aasgaard,
 * Japanese, thanks to S. Ikeda,
 * Magyar, thanks to H. Szabolcs,
 * Finnish, thanks to J.P. Paloposki,
 * Estonian, thanks to U. Buhvestov,
 * Spanish, thanks to D. Magaña,
 * German, thanks to S. Weber,
 * Catalan, thanks to J. Deu-Pons.

You can find the full Changelog here:
http://www.sympa.org/distribution/latest-stable/NEWS

Please note the the Sympa PDF documentation is not distributed with Sympa
tar.gz file anymore. You can find it on our website instead:
http://www.sympa.org/documentation/manual/sympa-5.4.4.pdf

Merry christmas (or whatever you wish to celebrate at this time of year)
and see you next year for the release of Sympa 6 !

Regards,
-- 

David Verdin
Comité réseau des universités


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================