[Secure-testing-commits] r47513 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Wed Dec 28 10:26:51 UTC 2016
Author: carnil
Date: 2016-12-28 10:26:51 +0000 (Wed, 28 Dec 2016)
New Revision: 47513
Modified:
data/CVE/list
Log:
Update notes for libphp-phpmailer
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-12-28 10:20:07 UTC (rev 47512)
+++ data/CVE/list 2016-12-28 10:26:51 UTC (rev 47513)
@@ -2124,8 +2124,6 @@
RESERVED
CVE-2016-10072 (** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' ...)
TODO: check
-CVE-2016-10045
- RESERVED
CVE-2016-10044
RESERVED
CVE-2016-10043
@@ -2150,12 +2148,19 @@
RESERVED
CVE-2014-9914
RESERVED
+CVE-2016-10045 [Bypass of the CVE-2016-1033 patch]
+ - libphp-phpmailer <not-affected> (Incomplete fix not applied)
+ NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
CVE-2016-10033 [remote code execution]
RESERVED
- libphp-phpmailer <unfixed> (bug #849365)
NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
NOTE: Fix potentially incomplete, cf http://www.openwall.com/lists/oss-security/2016/12/28/1
+ NOTE: When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the
+ NOTE: complete patch to not make libphp-phpmailer affected by CVE-2016-10045.
+ NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
+ NOTE: Needs followup: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
CVE-2016-10032
RESERVED
CVE-2016-10031 (** DISPUTED ** WampServer 3.0.6 installs two services called ...)
More information about the Secure-testing-commits
mailing list