| Summary: | php-phpmailer new security issues CVE-2017-11503 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, herman.viaene, lewyssmith, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok mga5-64-ok | ||
| Source RPM: | php-phpmailer-5.2.23-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-07-29 16:49:44 CEST
David Walser
2017-07-29 16:49:52 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 Updated packages uploaded for Mageia 5, 6, and cauldron. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: It was discovered that php-phpmailer has a XSS vulnerability in in the "From Email Address" and "To Email Address" fields of code_generator.php (CVE-2017-11503). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545FEK4BT73LWYBXC2P7MQYBELWVG257/ https://nvd.nist.gov/vuln/detail/CVE-2017-11503 ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-5.2.24-1.mga5.noarch.rpm from php-phpmailer-5.2.24-1.mga5.src.rpm php-phpmailer-5.2.24-1.mga6.noarch.rpm from php-phpmailer-5.2.24-1.mga6.src.rpm Potential test procedure: https://bugs.mageia.org/show_bug.cgi?id=17319#c5 https://bugs.mageia.org/show_bug.cgi?id=17319#c6 Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO has_procedure MGA6-32 on Asus A6000VM MATE Installation: the test package was already installed???? Via bug 17319 got to the example in https://github.com/PHPMailer/PHPMailer , but then hit the same snag as in bug 20069 Comment 3 This time I choose my provider's smtp to send to my google account, and that worked perfectly (no attachments used). Whiteboard:
MGA5TOO has_procedure =>
MGA5TOO has_procedure MGA6-32-OK
Lewis Smith
2017-08-09 09:08:54 CEST
Whiteboard:
MGA5TOO has_procedure MGA6-32-OK =>
MGA5TOO has_procedure MGA6-32-OK advisory I was able to make it work this time. This is working as designed. Brian Whiteboard:
MGA5TOO has_procedure MGA6-32-OK advisory =>
MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok The following 24 packages are going to be installed: - lib64php5_common5-5.6.30-1.mga5.x86_64 - php-cli-5.6.30-1.mga5.x86_64 - php-ctype-5.6.30-1.mga5.x86_64 - php-dom-5.6.30-1.mga5.x86_64 - php-filter-5.6.30-1.mga5.x86_64 - php-ftp-5.6.30-1.mga5.x86_64 - php-gettext-5.6.30-1.mga5.x86_64 - php-hash-5.6.30-1.mga5.x86_64 - php-ini-5.6.30-1.mga5.x86_64 - php-json-5.6.30-1.mga5.x86_64 - php-openssl-5.6.30-1.mga5.x86_64 - php-phpmailer-5.2.24-1.mga5.noarch - php-posix-5.6.30-1.mga5.x86_64 - php-session-5.6.30-1.mga5.x86_64 - php-suhosin-0.9.37.1-1.mga5.x86_64 - php-sysvsem-5.6.30-1.mga5.x86_64 - php-sysvshm-5.6.30-1.mga5.x86_64 - php-timezonedb-2016.6-1.mga5.x86_64 - php-tokenizer-5.6.30-1.mga5.x86_64 - php-xml-5.6.30-1.mga5.x86_64 - php-xmlreader-5.6.30-1.mga5.x86_64 - php-xmlwriter-5.6.30-1.mga5.x86_64 - php-zlib-5.6.30-1.mga5.x86_64 - webserver-base-2.0-8.mga5.x86_64 8.2MB of additional disk space will be used. 2.2MB of packages will be retrieved. Is it ok to continue? 2017-08-10 21:25:55 CLIENT -> SERVER: Date: Thu, 10 Aug 2017 21:25:54 +0000 2017-08-10 21:25:55 CLIENT -> SERVER: To: Brian <xxxxx@yahoo.com> 2017-08-10 21:25:55 CLIENT -> SERVER: From: Brian <xxxxxx@gmail.com> 2017-08-10 21:25:55 CLIENT -> SERVER: Subject: PHP mmmmmmmmmmmmmmmmmmmmmmmmmmmail Test from g ttttttto y 2017-08-10 21:25:55 CLIENT -> SERVER: Message-ID: <33285a1fbfd00a496f38c5a51f569b44@localhost> 2017-08-10 21:25:55 CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.24 (https://github.com/PHPMailer/PHPMailer) 2017-08-10 21:25:55 CLIENT -> SERVER: MIME-Version: 1.0 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: multipart/alternative; 2017-08-10 21:25:55 CLIENT -> SERVER: boundary="xxxxxxxxxxx" 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Transfer-Encoding: 8bit 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is a multi-part message in MIME format. 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is the HTML message body <b>in bold!</b> 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: . 2017-08-10 21:25:56 SERVER -> CLIENT: 250 2.0.0 OK 1502400358 w132sm1465553itf.31 - gsmtp 2017-08-10 21:25:56 CLIENT -> SERVER: QUIT 2017-08-10 21:25:56 SERVER -> CLIENT: 221 2.0.0 closing connection w132sm1465553itf.31 - gsmtp Message has been sent Works as designed. Whiteboard:
MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok =>
MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok mga5-64-ok
Lewis Smith
2017-08-13 09:53:24 CEST
CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0257.html Status:
NEW =>
RESOLVED |