Debian-LTS has issued an advisory on December 8: http://lwn.net/Alerts/667302/ The corresponding Debian bug, which includes a link to the upstream commit to fix the issue, is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807265 Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Looks to as it has been fixed in version 5.2.14 https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14 So we may well upgrade to vers. 5.2.14
Status: NEW => ASSIGNED
fixed in cauldron
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
This bug has now been fixed and the following packages are now in mga5 updates_testing: php-phpmailer-5.2.14-1.mga5.src.rpm php-phpmailer-5.2.14-1.mga5.noarch.rpm Assigning to QA
CC: (none) => thomasAssignee: thomas => qa-bugs
Thanks Thomas! Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks. This is valid in RFC5322, but allowing such addresses resulted in invalid RFC5321 SMTP commands, permitting a kind of message injection attack (CVE-2015-8476). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8476 https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14 http://lwn.net/Alerts/667302/
Example here https://github.com/PHPMailer/PHPMailer If you do send an email be aware that it may be treated as spam, without being properly routed. It's enough of a test though.
Whiteboard: (none) => has_procedure
Installed the update attempted to run a PHPMailer test using Gmail to my yahoo account. WEll that failed because Gmail blocked it. I received an Email of the attempt. "Someone just tried to sign in to your Google Account xxxxxxx@gmail.com from an app that doesn't meet modern security standards." It works from my perspective. Brian
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure MGA5-32-OK
Well done Brian. Validating. Advisory uploaded. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0484.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED