Fedora has issued an advisory on July 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545FEK4BT73LWYBXC2P7MQYBELWVG257/ The issue is fixed in 5.2.24. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Updated packages uploaded for Mageia 5, 6, and cauldron. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: It was discovered that php-phpmailer has a XSS vulnerability in in the "From Email Address" and "To Email Address" fields of code_generator.php (CVE-2017-11503). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545FEK4BT73LWYBXC2P7MQYBELWVG257/ https://nvd.nist.gov/vuln/detail/CVE-2017-11503 ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-5.2.24-1.mga5.noarch.rpm from php-phpmailer-5.2.24-1.mga5.src.rpm php-phpmailer-5.2.24-1.mga6.noarch.rpm from php-phpmailer-5.2.24-1.mga6.src.rpm Potential test procedure: https://bugs.mageia.org/show_bug.cgi?id=17319#c5 https://bugs.mageia.org/show_bug.cgi?id=17319#c6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO has_procedureCC: (none) => mramboVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
MGA6-32 on Asus A6000VM MATE Installation: the test package was already installed???? Via bug 17319 got to the example in https://github.com/PHPMailer/PHPMailer , but then hit the same snag as in bug 20069 Comment 3 This time I choose my provider's smtp to send to my google account, and that worked perfectly (no attachments used).
Whiteboard: MGA5TOO has_procedure => MGA5TOO has_procedure MGA6-32-OKCC: (none) => herman.viaene
Whiteboard: MGA5TOO has_procedure MGA6-32-OK => MGA5TOO has_procedure MGA6-32-OK advisoryCC: (none) => lewyssmith
I was able to make it work this time. This is working as designed. Brian
Whiteboard: MGA5TOO has_procedure MGA6-32-OK advisory => MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-okCC: (none) => brtians1
The following 24 packages are going to be installed: - lib64php5_common5-5.6.30-1.mga5.x86_64 - php-cli-5.6.30-1.mga5.x86_64 - php-ctype-5.6.30-1.mga5.x86_64 - php-dom-5.6.30-1.mga5.x86_64 - php-filter-5.6.30-1.mga5.x86_64 - php-ftp-5.6.30-1.mga5.x86_64 - php-gettext-5.6.30-1.mga5.x86_64 - php-hash-5.6.30-1.mga5.x86_64 - php-ini-5.6.30-1.mga5.x86_64 - php-json-5.6.30-1.mga5.x86_64 - php-openssl-5.6.30-1.mga5.x86_64 - php-phpmailer-5.2.24-1.mga5.noarch - php-posix-5.6.30-1.mga5.x86_64 - php-session-5.6.30-1.mga5.x86_64 - php-suhosin-0.9.37.1-1.mga5.x86_64 - php-sysvsem-5.6.30-1.mga5.x86_64 - php-sysvshm-5.6.30-1.mga5.x86_64 - php-timezonedb-2016.6-1.mga5.x86_64 - php-tokenizer-5.6.30-1.mga5.x86_64 - php-xml-5.6.30-1.mga5.x86_64 - php-xmlreader-5.6.30-1.mga5.x86_64 - php-xmlwriter-5.6.30-1.mga5.x86_64 - php-zlib-5.6.30-1.mga5.x86_64 - webserver-base-2.0-8.mga5.x86_64 8.2MB of additional disk space will be used. 2.2MB of packages will be retrieved. Is it ok to continue? 2017-08-10 21:25:55 CLIENT -> SERVER: Date: Thu, 10 Aug 2017 21:25:54 +0000 2017-08-10 21:25:55 CLIENT -> SERVER: To: Brian <xxxxx@yahoo.com> 2017-08-10 21:25:55 CLIENT -> SERVER: From: Brian <xxxxxx@gmail.com> 2017-08-10 21:25:55 CLIENT -> SERVER: Subject: PHP mmmmmmmmmmmmmmmmmmmmmmmmmmmail Test from g ttttttto y 2017-08-10 21:25:55 CLIENT -> SERVER: Message-ID: <33285a1fbfd00a496f38c5a51f569b44@localhost> 2017-08-10 21:25:55 CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.24 (https://github.com/PHPMailer/PHPMailer) 2017-08-10 21:25:55 CLIENT -> SERVER: MIME-Version: 1.0 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: multipart/alternative; 2017-08-10 21:25:55 CLIENT -> SERVER: boundary="xxxxxxxxxxx" 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Transfer-Encoding: 8bit 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is a multi-part message in MIME format. 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: This is the HTML message body <b>in bold!</b> 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: xxxxxxxxxxxxxxxxxx 2017-08-10 21:25:55 CLIENT -> SERVER: 2017-08-10 21:25:55 CLIENT -> SERVER: . 2017-08-10 21:25:56 SERVER -> CLIENT: 250 2.0.0 OK 1502400358 w132sm1465553itf.31 - gsmtp 2017-08-10 21:25:56 CLIENT -> SERVER: QUIT 2017-08-10 21:25:56 SERVER -> CLIENT: 221 2.0.0 closing connection w132sm1465553itf.31 - gsmtp Message has been sent Works as designed.
Whiteboard: MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok => MGA5TOO has_procedure MGA6-32-OK advisory mga5-32-ok mga5-64-ok
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0257.html
Status: NEW => RESOLVEDResolution: (none) => FIXED