Bug 22051

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => guillomovitch, mageia, marja11, olav
Assignee: bugsquad => pkg-bugs

New version 5.2.26 just submitted in cauldron, fixed releases php-phpmailer-5.2.24-1.1.mga6 and php-phpmailer-5.2.24-1.1.mga5 submitted in update_testing for mageia 6 and 5.

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Advisory:
========================

Updated php-phpmailer packages fix security vulnerability:

Debugoutput wasn't set in constructor according to SAPI in use, resulting in
potential XSS in default debug output.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PJ56RXWJ42PXFZPVRGEDSP4HAE3TNRV6/
========================

Updated packages in core/updates_testing:
========================
php-phpmailer-5.2.24-1.1.mga5
php-phpmailer-5.2.24-1.1.mga6

from SRPMS:
php-phpmailer-5.2.24-1.1.mga5.src.rpm
php-phpmailer-5.2.24-1.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

MGA5-64 on Lenovo B50 KDE
No installation issues.
Followed lead of bug 20069 (hit the same snag with autoload) and bug 17319, but then at CLI:
$ php phpmail 
 
PHP Fatal error:  Class 'PHPMailer\PHPMailer\PHPMailer' not found in /home/tester5/Documenten/phpmail on line 12
I cann't guess wh

CC: (none) => herman.viaene

Continuing:
I cann't guess what could be missing. Shouldn't this class be in the package??

The example you are using is coming from the 'master' branch on github, whereas we are using the 5.2 stable version, and the missing classes don't exist. Just drop the 'use' statement, it should work as expected.

When comment the two 'use' statements, I still get
$ php phpmail 
PHP Warning:  require(vendor/autoload.php): failed to open stream: No such file or directory in /home/tester5/Documenten/phpmail on line 8
PHP Fatal error:  require(): Failed opening required 'vendor/autoload.php' (include_path='.:/usr/lib/php/:/usr/share/pear/:/usr/share/php/') in /home/tester5/Documenten/phpmail on line 8
And when I comment that one out as well:
$ php phpmail 
PHP Fatal error:  Class 'PHPMailer' not found in /home/tester5/Documenten/phpmail on line 10

Installed and tested without issues.

System: Mageia 5, x86_64, Intel CPU.

Test was done using the attached phpmailer.php script based on the example at https://github.com/PHPMailer/PHPMailer with some adjustments.

The following needs to be done before executing the script:
- Set the SMTP Host, Username and Password was set to an actual SMTP account.
- Set the e-mail addresses to valid e-mail addresses.
- Create the files /tmp/file.tar.gz and /tmp/image.jpg .

Executing the phpmailer.php script resulted in sending the email to the various e-mail addresses.

$ php phpmailer.php
<SNIP LONG DEBUG OUTPUT>
$ rpm -q php-phpmailer
php-phpmailer-5.2.24-1.1.mga5
$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep ^php | sort
php-cli-5.6.32-1.mga5
php-ctype-5.6.32-1.mga5
php-curl-5.6.32-1.mga5
php-dom-5.6.32-1.mga5
php-filter-5.6.32-1.mga5
php-ftp-5.6.32-1.mga5
php-gd-5.6.32-1.mga5
php-gettext-5.6.32-1.mga5
php-hash-5.6.32-1.mga5
php-ini-5.6.32-1.mga5
php-json-5.6.32-1.mga5
php-mbstring-5.6.32-1.mga5
php-mysqli-5.6.32-1.mga5
php-mysqlnd-5.6.32-1.mga5
php-openssl-5.6.32-1.mga5
php-pdo-5.6.32-1.mga5
php-pdo_mysql-5.6.32-1.mga5
php-phpmailer-5.2.24-1.1.mga5
php-posix-5.6.32-1.mga5
php-session-5.6.32-1.mga5
php-suhosin-0.9.37.1-1.mga5
php-sysvsem-5.6.32-1.mga5
php-sysvshm-5.6.32-1.mga5
php-timezonedb-2016.6-1.mga5
php-tokenizer-5.6.32-1.mga5
php-xdebug-2.2.5-3.mga5
php-xml-5.6.32-1.mga5
php-xmlreader-5.6.32-1.mga5
php-xmlwriter-5.6.32-1.mga5
php-zlib-5.6.32-1.mga5

CC: (none) => mageia

Created attachment 9812 [details]
phpmailer test script

Used script from attachment (big tx), adapted to own mail adresses. Works perfectly.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA5-32-OK

Thanks for the test script PC LX but it would not run here.  Only one email address available and the account is IMAP but I used smtp.googlemail.com as the server name.  Could not authenticate.

$ php phpmailer.php
2017-11-29 17:36:51	SERVER -> CLIENT:
2017-11-29 17:36:51	SMTP NOTICE: EOF caught while checking if connected
2017-11-29 17:36:51	SMTP Error: Could not authenticate.
2017-11-29 17:36:51	SMTP Error: Could not authenticate.
Message could not be sent.Mailer Error: SMTP Error: Could not authenticate.

Out of my depth here so am dropping it.

CC: (none) => tarazed25

(In reply to Len Lawrence from comment #11)
> Thanks for the test script PC LX but it would not run here.  Only one email
> address available and the account is IMAP but I used smtp.googlemail.com as
> the server name.  Could not authenticate.

You can see the SMTP settings for a google mail (gmail) account here:
https://support.google.com/a/answer/176600?hl=en

I will try M6/64 tomorrow.

Thanks for the pointer PC LX.  More output this time but it still cannot authenticate me.  Not much point in pursuing this, as I said.

$ php phpmailer.php
2017-11-29 22:00:45	SERVER -> CLIENT: 220 smtp.gmail.com ESMTP k30sm3849407wrf.63 - gsmtp
2017-11-29 22:00:45	CLIENT -> SERVER: EHLO belexeuli
2017-11-29 22:00:45	SERVER -> CLIENT: 250-smtp.gmail.com at your service, [82.4.76.253]
                   	                  250-SIZE 35882577
                   	                  250-8BITMIME
                   	                  250-STARTTLS
                   	                  250-ENHANCEDSTATUSCODES
                   	                  250-PIPELINING
                   	                  250-CHUNKING
                   	                  250 SMTPUTF8
2017-11-29 22:00:45	CLIENT -> SERVER: STARTTLS
2017-11-29 22:00:45	SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2017-11-29 22:00:45	CLIENT -> SERVER: EHLO belexeuli
2017-11-29 22:00:45	SERVER -> CLIENT: 250-smtp.gmail.com at your service, [82.4.76.253]
                   	                  250-SIZE 35882577
                   	                  250-8BITMIME
                   	                  250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
                   	                  250-ENHANCEDSTATUSCODES
                   	                  250-PIPELINING
                   	                  250-CHUNKING
                   	                  250 SMTPUTF8
2017-11-29 22:00:45	CLIENT -> SERVER: AUTH LOGIN
2017-11-29 22:00:45	SERVER -> CLIENT: 334 VXNlcm5hbWU6
2017-11-29 22:00:45	CLIENT -> SERVER: dGFyYXplZDI1QGdvb2dsZS5jb20=
2017-11-29 22:00:45	SERVER -> CLIENT: 334 UGFzc3dvcmQ6
2017-11-29 22:00:45	CLIENT -> SERVER: TGl0YW56ZWwxNw==
2017-11-29 22:00:45	SERVER -> CLIENT: 535-5.7.8 Username and Password not accepted. Learn more at
                   	                  535 5.7.8  https://support.google.com/mail/?p=BadCredentials k30sm3849407wrf.63 - gsmtp
2017-11-29 22:00:45	SMTP ERROR: Password command failed: 535-5.7.8 Username and Password not accepted. Learn more at
                   	                  535 5.7.8  https://support.google.com/mail/?p=BadCredentials k30sm3849407wrf.63 - gsmtp
2017-11-29 22:00:45	SMTP Error: Could not authenticate.
2017-11-29 22:00:45	CLIENT -> SERVER: QUIT
2017-11-29 22:00:45	SERVER -> CLIENT: 221 2.0.0 closing connection k30sm3849407wrf.63 - gsmtp
2017-11-29 22:00:45	SMTP Error: Could not authenticate.
Message could not be sent.Mailer Error: SMTP Error: Could not authenticate.[lcl@

Trying M6/64 Using the updated package: php-phpmailer-5.2.24-1.1.mga6

First thank you PC_LX for the test script. Which I edited for the server, username, password as per my e-mail client; recipient etc fields.
    $mail->Host = "smtp.free.fr";
    $mail->Username = "<username>";
    $mail->Password = "<password>";

    $mail->setFrom("<myFreeEmailAddress>", "Mailer");
    $mail->addAddress("<anotherMyEmailAdress>", "RecOnetel");
    $mail->addAddress("<myFreeEmailAddress>", "RecFree");
    $mail->addReplyTo("<myFreeEmailAddress>", "Information");
    $mail->addCC("<myFreeEmailAddress>");
    $mail->addBCC("<anotherMyEmailAdress>");

$ php phpmailer.php
2017-11-30 07:51:42	SERVER -> CLIENT: 220 smtp4-g21.free.fr ESMTP Postfix
2017-11-30 07:51:42	CLIENT -> SERVER: EHLO localhost.localdomain
2017-11-30 07:51:42	SERVER -> CLIENT: 250-smtp4-g21.free.fr
...
2017-11-30 07:51:42	CLIENT -> SERVER: STARTTLS
2017-11-30 07:51:42	SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2017-11-30 07:51:42	CLIENT -> SERVER: EHLO localhost.localdomain
2017-11-30 07:51:42	SERVER -> CLIENT: 250-smtp4-g21.free.fr
...
2017-11-30 07:51:42	SMTP Error: Could not authenticate.
2017-11-30 07:51:42	CLIENT -> SERVER: QUIT
2017-11-30 07:51:42	SERVER -> CLIENT: 221 2.0.0 Bye
2017-11-30 07:51:42	SMTP Error: Could not authenticate.
Message could not be sent.Mailer Error: SMTP Error: Could not authenticate.

Is the 'localhost.localdomain' correct for EHLO ?
Normally for sending messages from my e-mail client, it does so without autentification. Invoking this 'Automatic', which said that it would use the same username/password as for POP if I did not supply differentl (I did not). Sending a message resulted in a complaint about "unknown TLS certificate - Accept?", which I did, after which the send worked. In case that helps.

MGA6-32 on Dell Latitude D600
No installation issues.
Sent mail using attached test script, both plain message and with attachment. All OK.

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-32-OK

Validating the update based on the above comments.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0438.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED