Bug 17319

Summary: php-phpmailer new security issue CVE-2015-8476
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, sysadmin-bugs, thomas
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/667315/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: php-phpmailer-5.2.7-0.20130917.5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-09 18:45:57 CET 
Debian-LTS has issued an advisory on December 8:
http://lwn.net/Alerts/667302/

The corresponding Debian bug, which includes a link to the upstream commit to fix the issue, is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807265

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-12-09 18:46:05 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Thomas Spuhler 2015-12-14 22:44:05 CET 
Looks to as it has been fixed in version 5.2.14
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
So we may well upgrade to vers. 5.2.14

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2015-12-14 22:58:54 CET 
fixed in cauldron
David Walser 2015-12-14 23:07:19 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 Thomas Spuhler 2015-12-14 23:23:15 CET 
This bug has now been fixed and the following packages are now in mga5 updates_testing:
php-phpmailer-5.2.14-1.mga5.src.rpm
php-phpmailer-5.2.14-1.mga5.noarch.rpm

Assigning to QA

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 4 David Walser 2015-12-14 23:39:40 CET 
Thanks Thomas!

Advisory:
========================

Updated php-phpmailer package fixes security vulnerability:

Takeshi Terada discovered that PHPMailer accepted addresses containing line
breaks. This is valid in RFC5322, but allowing such addresses resulted in
invalid RFC5321 SMTP commands, permitting a kind of message injection attack
(CVE-2015-8476).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8476
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
http://lwn.net/Alerts/667302/
Comment 5 claire robinson 2015-12-18 16:46:19 CET 
Example here https://github.com/PHPMailer/PHPMailer

If you do send an email be aware that it may be treated as spam, without being properly routed. It's enough of a test though.

Whiteboard: (none) => has_procedure

Comment 6 Brian Rockwell 2015-12-19 14:41:24 CET 
Installed the update attempted to run a PHPMailer test using Gmail to my yahoo account.  WEll that failed because Gmail blocked it.  I received an Email of the attempt.  

"Someone just tried to sign in to your Google Account xxxxxxx@gmail.com from an app that doesn't meet modern security standards."

It works from my perspective.


Brian

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 7 claire robinson 2015-12-24 10:32:42 CET 
Well done Brian.

Validating. Advisory uploaded.

Please push to 5 updates. Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-12-24 12:09:14 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0484.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED