[pkg-php-pear] Bug#991666: libphp-phpmailer: CVE-2021-3603
jmm at inutil.org
Thu Jul 29 22:10:03 BST 2021
X-Debbugs-CC: team at security.debian.org
The following vulnerability was published for libphp-phpmailer.
| PHPMailer 6.4.1 and earlier contain a vulnerability that can result in
| untrusted code being called (if such code is injected into the host
| project's scope by other means). If the $patternselect parameter to
| validateAddress() is set to 'php' (the default, defined by
| PHPMailer::$validator), and the global namespace contains a function
| called php, it will be called in preference to the built-in validator
| of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of
| simple strings as validator function names.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
Please adjust the affected versions in the BTS as needed.
More information about the pkg-php-pear