[Git][security-tracker-team/security-tracker][master] CVE-2020-36326: add fixing commit

[Emilio Pozuelo Monfort]

Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9d6987ab by Emilio Pozuelo Monfort at 2021-05-04T09:43:43+02:00
CVE-2020-36326: add fixing commit

And mark as n/a on buster & stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -428,8 +428,11 @@ CVE-2021-31830
 	RESERVED
 CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Des ...)
 	- libphp-phpmailer <unfixed>
+	[buster] - libphp-phpmailer <not-affected> (Regression introduced in 6.1.8)
+	[stretch] - libphp-phpmailer <not-affected> (Regression introduced in 6.1.8)
 	NOTE: Introduced by: https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 (6.1.8)
-	TODO: check if the code change eliminated the code that blocked addAttachment independent on Windows plattform/UNC paths
+	NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a
+	NOTE: Also backport: https://github.com/PHPMailer/PHPMailer/commit/7f267fb4aadfcf62e3ddc50494c469c6b9c4405a
 CVE-2021-3518 [use-after-free in xmlXIncludeDoProcess() in xinclude.c]
 	RESERVED
 	[experimental] - libxml2 2.9.10+dfsg-6.4



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d6987ab162f6d797550a061935db3d830bb1047

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d6987ab162f6d797550a061935db3d830bb1047
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210504/981b356f/attachment.htm>