[pkg-php-pear] Bug#991666: libphp-phpmailer: CVE-2021-3603

Moritz Mühlenhoff jmm at inutil.org
Thu Jul 29 22:10:03 BST 2021

Source: libphp-phpmailer
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security


The following vulnerability was published for libphp-phpmailer.

| PHPMailer 6.4.1 and earlier contain a vulnerability that can result in
| untrusted code being called (if such code is injected into the host
| project's scope by other means). If the $patternselect parameter to
| validateAddress() is set to 'php' (the default, defined by
| PHPMailer::$validator), and the global namespace contains a function
| called php, it will be called in preference to the built-in validator
| of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of
| simple strings as validator function names.


https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3603

Please adjust the affected versions in the BTS as needed.

More information about the pkg-php-pear mailing list