Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SA 2020-001] Security flaws in CSRF prevension, CVE-2020-9369 #886

Closed
3 tasks done
ikedas opened this issue Feb 24, 2020 · 2 comments · Fixed by #887
Closed
3 tasks done

[SA 2020-001] Security flaws in CSRF prevension, CVE-2020-9369 #886

ikedas opened this issue Feb 24, 2020 · 2 comments · Fixed by #887
Labels
bug security
Milestone
6.2.54

Comments

@ikedas
Copy link
Member

ikedas commented Feb 24, 2020
edited
Loading

Version

6.2.38 to 6.2.52.

Installation method

Any.

Expected behavior

There are no flaw.

Actual behavior

Sympa SA 2020-001 (candidate). Denial of service caused by malformed CSRF token.

Additional information

  • security advisory will be published later.
  • Pull request has been prepared and will be submitted soon.
  • New version of Sympa and a patch will be released.
@ikedas ikedas added this to the 6.2.54 milestone Feb 24, 2020
@ikedas ikedas mentioned this issue Feb 24, 2020
Merged
@ikedas ikedas pinned this issue Feb 24, 2020
ikedas added a commit that referenced this issue Feb 24, 2020
@ikedas
Merge pull request #887 from ikedas/sa-2020-001 by ikedas
69c9e74 
[SA 2020-001] Security flaws in CSRF prevension (#886)
@ikedas ikedas closed this as completed Feb 24, 2020
@carnil
Copy link

carnil commented Feb 24, 2020

CVE-2020-9369 was assigned for this issue.

@ikedas
Copy link
Member Author

ikedas commented Feb 24, 2020

Thanks for information!

@ikedas ikedas changed the title [SA 2020-001] Security flaws in CSRF prevension [SA 2020-001] Security flaws in CSRF prevension, CVE-2020-9369 Feb 25, 2020
@ikedas ikedas linked a pull request Feb 25, 2020 that will close this issue
[SA 2020-001] Security flaws in CSRF prevension (#886) #887
Merged
@ikedas ikedas unpinned this issue Mar 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
6.2.54
Development

Successfully merging a pull request may close this issue.

[SA 2020-001] Security flaws in CSRF prevension (#886) ikedas/sympa
2 participants
@carnil @ikedas