17319 – php-phpmailer new security issue CVE-2015-8476

Bug 17319 - php-phpmailer new security issue CVE-2015-8476

Summary: php-phpmailer new security issue CVE-2015-8476

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/667315/
Whiteboard:	has_procedure advisory MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-12-09 18:45 CET by David Walser
Modified:	2015-12-24 12:09 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	php-phpmailer-5.2.7-0.20130917.5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-09 18:45:57 CET

Debian-LTS has issued an advisory on December 8:
http://lwn.net/Alerts/667302/

The corresponding Debian bug, which includes a link to the upstream commit to fix the issue, is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807265

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-12-09 18:46:05 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Thomas Spuhler 2015-12-14 22:44:05 CET

Looks to as it has been fixed in version 5.2.14
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
So we may well upgrade to vers. 5.2.14

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2015-12-14 22:58:54 CET

fixed in cauldron

David Walser 2015-12-14 23:07:19 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 Thomas Spuhler 2015-12-14 23:23:15 CET

This bug has now been fixed and the following packages are now in mga5 updates_testing:
php-phpmailer-5.2.14-1.mga5.src.rpm
php-phpmailer-5.2.14-1.mga5.noarch.rpm

Assigning to QA

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 4 David Walser 2015-12-14 23:39:40 CET

Thanks Thomas!

Advisory:
========================

Updated php-phpmailer package fixes security vulnerability:

Takeshi Terada discovered that PHPMailer accepted addresses containing line
breaks. This is valid in RFC5322, but allowing such addresses resulted in
invalid RFC5321 SMTP commands, permitting a kind of message injection attack
(CVE-2015-8476).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8476
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
http://lwn.net/Alerts/667302/

Comment 5 claire robinson 2015-12-18 16:46:19 CET

Example here https://github.com/PHPMailer/PHPMailer

If you do send an email be aware that it may be treated as spam, without being properly routed. It's enough of a test though.

Whiteboard: (none) => has_procedure

Comment 6 Brian Rockwell 2015-12-19 14:41:24 CET

Installed the update attempted to run a PHPMailer test using Gmail to my yahoo account.  WEll that failed because Gmail blocked it.  I received an Email of the attempt.  

"Someone just tried to sign in to your Google Account xxxxxxx@gmail.com from an app that doesn't meet modern security standards."

It works from my perspective.


Brian

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 7 claire robinson 2015-12-24 10:32:42 CET

Well done Brian.

Validating. Advisory uploaded.

Please push to 5 updates. Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-12-24 12:09:14 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0484.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.