[pkg-php-pear] Bug#991666: libphp-phpmailer: CVE-2021-3603
Moritz Mühlenhoff
jmm at inutil.org
Thu Jul 29 22:10:03 BST 2021
Source: libphp-phpmailer
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libphp-phpmailer.
CVE-2021-3603[0]:
| PHPMailer 6.4.1 and earlier contain a vulnerability that can result in
| untrusted code being called (if such code is injected into the host
| project's scope by other means). If the $patternselect parameter to
| validateAddress() is set to 'php' (the default, defined by
| PHPMailer::$validator), and the global namespace contains a function
| called php, it will be called in preference to the built-in validator
| of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of
| simple strings as validator function names.
https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
Patch:
https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603
Please adjust the affected versions in the BTS as needed.
More information about the pkg-php-pear
mailing list