[pkg-php-pear] Bug#849365: libphp-phpmailer: CVE-2016-10033
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 28 10:31:11 UTC 2016
Hi
On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote:
> On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> > Source: libphp-phpmailer
> > Version: 5.2.9+dfsg-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > the following vulnerability was published for libphp-phpmailer.
> >
> > CVE-2016-10033[0]:
> > remote code execution
>
> Further analysis of the fix via
> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
> has shown that this fix might be incomplete. See
>
> http://www.openwall.com/lists/oss-security/2016/12/28/1
>
> for further details.
There was now a followup:
http://www.openwall.com/lists/oss-security/2016/12/28/4
Note, that I have marked CVE-2016-10045 in the security-tracker as
not-affected, since the patch for CVE-2016-10033 introducing the issue
was not applied anywhere yet. So when CVE-2016-10033 is fixed, make
sure that the fix is complete to not make libphp-phpmailer vulnerable
to CVE-2016-10045.
Not sure though if we should change the way we track both CVEs and
treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is
specific to the bypass of the CVE-2016-10033, so TTBOMK we are
tracking it right this way.
Regards,
Salvatore
More information about the pkg-php-pear
mailing list