[pkg-php-pear] Bug#849365: libphp-phpmailer: CVE-2016-10033

Salvatore Bonaccorso carnil at debian.org
Thu Dec 29 07:45:02 UTC 2016


Hi,

On Wed, Dec 28, 2016 at 11:31:11AM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote:
> > On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> > > Source: libphp-phpmailer
> > > Version: 5.2.9+dfsg-2
> > > Severity: grave
> > > Tags: security upstream
> > > Justification: user security hole
> > > 
> > > Hi,
> > > 
> > > the following vulnerability was published for libphp-phpmailer.
> > > 
> > > CVE-2016-10033[0]:
> > > remote code execution
> > 
> > Further analysis of the fix via
> > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
> > has shown that this fix might be incomplete. See
> > 
> > http://www.openwall.com/lists/oss-security/2016/12/28/1
> > 
> > for further details.
> 
> There was now a followup:
> 
> http://www.openwall.com/lists/oss-security/2016/12/28/4
> 
> Note, that I have marked CVE-2016-10045 in the security-tracker as
> not-affected, since the patch for CVE-2016-10033 introducing the issue
> was not applied anywhere yet. So when CVE-2016-10033 is fixed, make
> sure that the fix is complete to not make libphp-phpmailer vulnerable
> to CVE-2016-10045.
> 
> Not sure though if we should change the way we track both CVEs and
> treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is
> specific to the bypass of the CVE-2016-10033, so TTBOMK we are
> tracking it right this way.

Note there was another followup, which now seem to concludes the fix,
details in 

http://www.openwall.com/lists/oss-security/2016/12/28/6

Regards,
Salvatore



More information about the pkg-php-pear mailing list