[pkg-php-pear] Bug#849365: libphp-phpmailer: CVE-2016-10033
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 29 07:45:02 UTC 2016
Hi,
On Wed, Dec 28, 2016 at 11:31:11AM +0100, Salvatore Bonaccorso wrote:
> Hi
>
> On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote:
> > On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> > > Source: libphp-phpmailer
> > > Version: 5.2.9+dfsg-2
> > > Severity: grave
> > > Tags: security upstream
> > > Justification: user security hole
> > >
> > > Hi,
> > >
> > > the following vulnerability was published for libphp-phpmailer.
> > >
> > > CVE-2016-10033[0]:
> > > remote code execution
> >
> > Further analysis of the fix via
> > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
> > has shown that this fix might be incomplete. See
> >
> > http://www.openwall.com/lists/oss-security/2016/12/28/1
> >
> > for further details.
>
> There was now a followup:
>
> http://www.openwall.com/lists/oss-security/2016/12/28/4
>
> Note, that I have marked CVE-2016-10045 in the security-tracker as
> not-affected, since the patch for CVE-2016-10033 introducing the issue
> was not applied anywhere yet. So when CVE-2016-10033 is fixed, make
> sure that the fix is complete to not make libphp-phpmailer vulnerable
> to CVE-2016-10045.
>
> Not sure though if we should change the way we track both CVEs and
> treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is
> specific to the bypass of the CVE-2016-10033, so TTBOMK we are
> tracking it right this way.
Note there was another followup, which now seem to concludes the fix,
details in
http://www.openwall.com/lists/oss-security/2016/12/28/6
Regards,
Salvatore
More information about the pkg-php-pear
mailing list