Debian has issued an advisory on December 31: https://www.debian.org/security/2016/dsa-3750 The issue is fixed in 5.2.20 and Debian has a patch. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Patched package uploaded for Cauldron. Potential test procedure: https://bugs.mageia.org/show_bug.cgi?id=17319#c5 https://bugs.mageia.org/show_bug.cgi?id=17319#c6 Patched package uploaded for Mageia 5. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: It was discovered that PHPMailer, a popular library to send email from PHP applications, allowed a remote attacker to execute code if they were able to provide a crafted Sender address (CVE-2016-10033). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033 https://security-tracker.debian.org/tracker/CVE-2016-10033 https://www.debian.org/security/2016/dsa-3750 ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-5.2.14-1.1.mga5 from php-phpmailer-5.2.14-1.1.mga5.src.rpm
CC: (none) => mramboVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => has_procedure
MGA5-32 on AcerD620 Xfce No installation issues Created phpmailtest as per bug 17319 Comment 5, changed mail settings in it and tried to run it, but got at the CLI $ php phpmailtest PHP Warning: require(PHPMailerAutoload.php): failed to open stream: No such file or directory in /home/tester5/Documenten/phpmailtest on line 2 PHP Fatal error: require(): Failed opening required 'PHPMailerAutoload.php' (include_path='.:/usr/lib/php/:/usr/share/pear/:/usr/share/php/') in /home/tester5/Documenten/phpmailtest on line 2 Turned out that the require line in the php file has to read require 'PHPMailer/PHPMailerAutoload.php'; After that I get $ php phpmailtest Message could not be sent.Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting I have smtp settings copied from my working Thunderbird as $mail->isSMTP(); // Set mailer to use SMTP $mail->Host = 'smtp.googlemail.com'; // Specify main and backup SMTP servers $mail->SMTPAuth = false; // Enable SMTP authentication # $mail->Username = '<myname>@gmail.com'; // SMTP username # $mail->Password = 'secret'; // SMTP password # $mail->SMTPSecure = 'ssl'; // Enable TLS encryption, `ssl` also accepted $mail->Port = 25; // TCP port to connect to but at least, the phpmailer seems to try to connect to the server.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Fedora has issued an advisory on January 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JTXZSKTKOWTVEXDS76R6GJGI3MLA2LL5/ It fixes one additional security issue (fixed upstream in 5.2.22).
Version: 5 => CauldronSummary: php-phpmailer new security issue CVE-2016-10033 => php-phpmailer new security issues CVE-2016-10033 and CVE-2017-5223Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5TOO feedback
LWN reference for CVE-2017-5223: https://lwn.net/Vulnerabilities/711946/
CC: (none) => qa-bugsAssignee: qa-bugs => mrambo
php-phpmailer-5.2.22-1.mga5 uploaded by Mike, so this can be tested again.
CC: qa-bugs => (none)Version: Cauldron => 5Assignee: mrambo => qa-bugsWhiteboard: has_procedure MGA5TOO feedback => has_procedure
Updated package uploaded for Cauldron. Potential test procedures above in comment 3 and at: https://bugs.mageia.org/show_bug.cgi?id=17319#c5 https://bugs.mageia.org/show_bug.cgi?id=17319#c6 Updated package uploaded for Mageia 5. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: It was discovered that PHPMailer prior to 5.2.22 contained a local file disclosure vulnerability if content passed to `msgHTML()` was sourced from unfiltered user input (CVE-20176-5223). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5223 http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-5.2.22-1.mga5 from php-phpmailer-5.2.22-1.mga5.src.rpm
Corrected advisory. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: It was discovered that PHPMailer, a popular library to send email from PHP applications, allowed a remote attacker to execute code if they were able to provide a crafted Sender address (CVE-2016-10033). It was discovered that PHPMailer prior to 5.2.22 contained a local file disclosure vulnerability if content passed to `msgHTML()` was sourced from unfiltered user input (CVE-2017-5223). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5223 http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ https://www.debian.org/security/2016/dsa-3750 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JTXZSKTKOWTVEXDS76R6GJGI3MLA2LL5/
Testing Mageia 5_64 BEFORE update: php-phpmailer-5.2.14-1 Using as a basis the sample file https://github.com/PHPMailer/PHPMailer "A Simple Example" 'require' modified as per Comment 3: Like Herman, with my own SMTP details defined - msg from & to myself - I initially could not get past: $ php mailtest.php Message could not be sent.Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting Invoked debugging to look closer: $mail->SMTPDebug = 2; $ php mailtest.php 2017-01-21 19:44:36 Connection: opening to smtp.free.fr:25, timeout=300, options=array ( ) 2017-01-21 19:44:36 Connection: opened 2017-01-21 19:44:36 SERVER -> CLIENT: 220 smtp4-g21.free.fr ESMTP Postfix 2017-01-21 19:44:36 CLIENT -> SERVER: EHLO localhost.localdomain 2017-01-21 19:44:36 SERVER -> CLIENT: 250-smtp4-g21.free.fr ... 2017-01-21 19:44:36 CLIENT -> SERVER: STARTTLS 2017-01-21 19:44:36 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS 2017-01-21 19:44:36 CLIENT -> SERVER: EHLO localhost.localdomain 2017-01-21 19:44:36 SERVER -> CLIENT: 250-smtp4-g21.free.fr ...2017-01-21 19:44:36 SMTP Error: Could not authenticate. 2017-01-21 19:44:36 CLIENT -> SERVER: QUIT 2017-01-21 19:44:36 SERVER -> CLIENT: 221 2.0.0 Bye 2017-01-21 19:44:36 Connection: closed 2017-01-21 19:44:37 SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting Message could not be sent.Mailer Error: SMTP connect() failed. I first tried knocking out: //$mail->SMTPSecure = 'tls'; in case that mattered; no change. I then knocked out SMTP authentification (could instead have said 'false'): //$mail->SMTPAuth = true; which worked: $ php mailtest.php ... Message has been sent and I did indeed receive the messsage as both its HTML and plain text variants. Here are the lines I explicitly defined or disabled (//); other lines as per the original script: ---------------------------------------- require 'PHPMailer/PHPMailerAutoload.php'; $mail->SMTPDebug = 2; $mail->Host = 'smtp.free.fr'; //$mail->SMTPAuth = true; $mail->Username = 'xxx'; $mail->Password = 'yyy'; //$mail->SMTPSecure = 'tls'; $mail->Port = 25; $mail->setFrom('<my@adress>', 'Mailer'); $mail->addAddress('<my@adress>', 'Joe User'); //$mail->addAddress('ellen@example.com'); $mail->addReplyTo('<my@adress>', 'Information'); //$mail->addCC('cc@example.com'); //$mail->addBCC('bcc@example.com'); //$mail->addAttachment('/var/tmp/file.tar.gz'); //$mail->addAttachment('/tmp/image.jpg', 'new.jpg'); -------------------------------------------------- AFTER update: php-phpmailer-5.2.22-1 $ php mailtest.php ... Message has been sent Once again the msg was correctly received in both its HTML & text variants. The update looks OK.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Advisory was already in place (but not on Whiteboard), but incomplete; and wrong SRPM version. Updated.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
After adjusting my settings like Lewis and choosing my own provider's SMTP, I could send mail $ php phpmailtest Message has been sent
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK MGA5-32-OK advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0022.html
Status: NEW => RESOLVEDResolution: (none) => FIXED