| Summary: | php-phpmailer new security issue CVE-2020-13625 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, mageia, mhrambo3501, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | php-phpmailer-6.0.6-5.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-06-09 22:47:00 CEST
David Walser
2020-06-09 22:47:17 CEST
Whiteboard:
(none) =>
MGA7TOO Updated package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: Fix insufficient output escaping bug in file attachment names (CVE-2020-13625). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OBRDMEV3CB44CAAF5BOHFNV23JVRO6PZ/ https://github.com/advisories/GHSA-f7hx-fqxw-rvvj https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13625 ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-6.1.6-1.mga7.noarch.rpm from php-phpmailer-6.1.6-1.mga7.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=20069#c9 CC:
(none) =>
mrambo Installed and tested OK.
Tested using several production level PHP script and no issues were noticed.
Also tested using the minimal test PHP script below.
System: Mageia 7, x86_64, PHP 7.3.19, Intel CPU.
$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q php-phpmailer
php-phpmailer-6.1.6-1.mga7
$ php --version
PHP 7.3.19 (cli) (built: Jun 19 2020 09:13:44) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies
$ rpm -qa | grep php | sort
apache-mod_php-7.3.19-2.mga7
lib64php_common7-7.3.19-2.mga7
php-bz2-7.3.19-2.mga7
php-channel-phpunit-1.3-16.mga7
php-cli-7.3.19-2.mga7
php-ctype-7.3.19-2.mga7
php-curl-7.3.19-2.mga7
php-dom-7.3.19-2.mga7
php-exif-7.3.19-2.mga7
php-fileinfo-7.3.19-2.mga7
php-filter-7.3.19-2.mga7
php-fpm-7.3.19-2.mga7
php-ftp-7.3.19-2.mga7
php-gd-7.3.19-2.mga7
php-gettext-7.3.19-2.mga7
php-hash-7.3.19-2.mga7
php-iconv-7.3.19-2.mga7
php-imagick-3.4.4-1.mga7
php-ini-7.3.19-2.mga7
php-intl-7.3.19-2.mga7
php-json-7.3.19-2.mga7
php-ldap-7.3.19-2.mga7
php-mbstring-7.3.19-2.mga7
phpmyadmin-4.9.5-1.mga7
php-mysqli-7.3.19-2.mga7
php-mysqlnd-7.3.19-2.mga7
php-openssl-7.3.19-2.mga7
php-pdo-7.3.19-2.mga7
php-pdo_mysql-7.3.19-2.mga7
php-pdo_sqlite-7.3.19-2.mga7
php-pear-1.10.9-1.mga7
php-pear-Auth_SASL-1.1.0-1.mga7
php-pear-channel-horde-1.0-21.mga7
php-pear-channel-symfony2-1.0-7.mga7
php-pear-Console_Color2-0.1.2-7.mga7
php-pear-Console_CommandLine-1.2.2-2.mga7
php-pear-Console_Getargs-1.4.0-2.mga7
php-pear-Console_Table-1.3.1-2.mga7
php-pear-Crypt_GPG-1.6.3-1.mga7
php-pear-DbUnit-1.3.1-6.mga7
php-pear-Event_Dispatcher-1.1.0-10.mga7
php-pear-File_Find-1.3.3-5.mga7
php-pear-File_Iterator-1.3.4-6.mga7
php-pear-HTML_Common-1.2.5-9.mga7
php-pear-HTML_CSS-1.5.4-12.mga7
php-pear-HTML_Table-1.8.4-2.mga7
php-pear-HTTP_Request2-2.3.0-2.mga7
php-pear-Mail_Mime-1.10.2-2.mga7
php-pear-Net_IDNA2-0.2.0-2.mga7
php-pear-Net_LDAP2-2.2.0-1.mga7
php-pear-Net_Sieve-1.4.4-1.mga7
php-pear-Net_SMTP-1.8.1-1.mga7
php-pear-Net_Socket-1.2.2-2.mga7
php-pear-Net_URL2-2.2.1-2.mga7
php-pear-PEAR_PackageFileManager-1.7.2-2.mga7
php-pear-PEAR_PackageFileManager2-1.0.4-6.mga7
php-pear-PEAR_PackageFileManager_Plugins-1.0.4-2.mga7
php-pear-PHP_CodeCoverage-1.2.17-6.mga7
php-pear-PHP_CompatInfo-1.9.0-13.mga7
php-pear-PHP_Invoker-1.1.3-6.mga7
php-pear-PHP_Timer-1.0.5-6.mga7
php-pear-PHP_TokenStream-1.2.2-5.mga7
php-pear-PHPUnit-3.7.34-4.mga7
php-pear-PHPUnit_MockObject-1.2.3-6.mga7
php-pear-PHPUnit_Selenium-1.3.3-6.mga7
php-pear-PHPUnit_Story-1.0.2-6.mga7
php-pear-Services_W3C_CSSValidator-0.2.3-7.mga7
php-pear-Symfony2_Yaml-2.4.4-5.mga7
php-pear-Text_Diff-1.2.2-2.mga7
php-pear-Text_Template-1.2.0-5.mga7
php-pear-XML_Parser-1.3.7-2.mga7
php-pear-XML_Serializer-0.21.0-2.mga7
php-phpmailer-6.1.6-1.mga7
php-posix-7.3.19-2.mga7
php-session-7.3.19-2.mga7
php-sockets-7.3.19-2.mga7
php-sysvsem-7.3.19-2.mga7
php-sysvshm-7.3.19-2.mga7
php-tokenizer-7.3.19-2.mga7
php-xml-7.3.19-2.mga7
php-xmlreader-7.3.19-2.mga7
php-xmlwriter-7.3.19-2.mga7
php-zip-7.3.19-2.mga7
php-zlib-7.3.19-2.mga7
=======BEGIN mailtest.php
<?php
require "PHPMailer.php";
require "Exception.php";
require "SMTP.php";
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
use PHPMailer\PHPMailer\SMTP;
//////////////////
/// Set these variables to something appropriate for your email SMTP account.
$SMTP_HOST = "";
$SMTP_USERNAME = "";
$SMTP_PASSWORD = "";
$FROM_EMAIL = "";
$FROM_NAME = "";
$REPLY_EMAIL = ""
$REPLY_NAME = ""
//////////////
$mail = new PHPMailer;
$mail->Mailer = "smtp";
$mail->Host = $SMTP_HOST;
$mail->Username = $SMTP_USERNAME;
$mail->Password = $SMTP_PASSWORD;
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->SMTPAuth = true;
$mail->AuthType = "PLAIN";
$mail->SMTPDebug = SMTP::DEBUG_LOWLEVEL;
$mail->setFrom($FROM_EMAIL, $FROM_NAME);
$mail->addReplyTo($REPLY_EMAIL, $REPLY_NAME);
$mail->addAddress($TO_EMAIL, $TO_NAME);
$mail->Subject = 'PHPMailer mail() test';
$mail->msgHTML(file_get_contents('contents.html'), __DIR__);
$mail->AltBody = 'This is a plain-text message body';
$mail->addAttachment('image.png');
if (!$mail->send()) {
echo 'Mailer Error: '. $mail->ErrorInfo;
} else {
echo 'Message sent!';
}
?>
=======END mailtest.phpCC:
(none) =>
mageia Validating. Advisory in Comment 1. Keywords:
(none) =>
validated_update
Dave Hodgins
2020-07-31 11:16:43 CEST
Keywords:
(none) =>
advisory srpm in advisory on svn fixed. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0313.html Resolution:
(none) =>
FIXED |