Fedora has issued advisories on November 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DAZQPUD7WZXMJ2KIQY5P2I2UI545YPYO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BVXCKTJQBY2PZGWGUFENTIDVHGQLDIV/ The issue is fixed upstream in 5.2.27 and 6.0.6. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
hmm, I missed this one when going over security bugs this morning :-( Anyway, assigning.
CC: (none) => mageia, marja11Assignee: bugsquad => php
Updated php-phpmailer packages fix security vulnerabilities: SECURITY Fix potential object injection vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DAZQPUD7WZXMJ2KIQY5P2I2UI545YPYO/ ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-5.2.27-1.1.mga6.noarch.rpm SRPM: php-phpmailer-5.2.27-1.1.mga6.src.rpm
Assignee: php => qa-bugs
Thanks! (don't forget the CVE) Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: Potential object injection vulnerability (CVE-2018-19296). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DAZQPUD7WZXMJ2KIQY5P2I2UI545YPYO/
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Trying M6/64 UPDATED to: php-phpmailer-5.2.27-1.1.mga6 Using my own earlier notes, which pillage other people's: https://bugs.mageia.org/show_bug.cgi?id=20069#c9 especially the sample file *changes* near the end of the comment. The base script is at https://github.com/PHPMailer/PHPMailer under "A Simple Example". NOTE ALSO: the sample script has \ in the two 'use' lines; this caused an error: $ php mailtest.php PHP Fatal error: Class 'PHPMailer\PHPMailer\PHPMailer' not found in /home/lewis/tmp/mailtest on line 10 = $mail = new PHPMailer(true); So I changed additionally these two initial lines(\ to /) to: use PHPMailer/PHPMailer/PHPMailer; use PHPMailer/PHPMailer/Exception; which caused a different error, and sooner: $ php mailtest.php PHP Warning: The use statement with non-compound name 'PHPMailer' has no effect in /home/lewis/tmp/mailtest.php on line 4 PHP Parse error: syntax error, unexpected '/', expecting ',' or ';' in / home/lewis/tmp/mailtest.php on line 4 = use PHPMailer/PHPMailer/PHPMailer; This has all worked before. Some syntax thingy. Have to stop now.
CC: (none) => lewyssmith
Those Examples refer to version >=6 (packed in cauldron). For mga6, it is a simple: require '/usr/share/php/PHPMailer/PHPMailerAutoload.php'; $mail = new PHPMailer(); .... For version >6 you have to write: require '/usr/share/php/PHPMailer/autoload.php'; use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\Exception; //since the autoloader is non-standard added by guillomovitch, I'm not sure if this works this way.
Thanks Marc for the pointers. Changed the 'require' line appropriately to: require '/usr/share/php/PHPMailer/PHPMailerAutoload.php'; and reverted the slashes in the two 'use' statements: use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\Exception; Re-trying Mageia 6 x64 $ pwd /home/lewis/tmp $ ls -l ... -rw-r--r-- 1 lewis lewis 2069 Ion 2 22:22 mailtest.php $ php mailtest.php PHP Fatal error: Class 'PHPMailer\PHPMailer\PHPMailer' not found in /home/lewis/tmp/mailtest.php on line 10 = $mail = new PHPMailer(true); ---------------------------- These are the 1st 10 lines of mailtest.php now (it made no difference whether the order is require-use-use or use-use-require): <?php //Load Composer's autoloader require '/usr/share/php/PHPMailer/PHPMailerAutoload.php'; // Import PHPMailer classes into the global namespace // These must be at the top of your script, not inside a function use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\Exception; $mail = new PHPMailer(true); ---------------------------- Lost!
@guillomovitch: you have made changes from fedora (e.g. autoloader, moved dir) to this. You should help here.
CC: (none) => guillomovitch
@lewis: you are mixing location of autoloader from version 5.x with namespace changes introduced with version 6.x phpmailer 5.x, packaged in mageia 6, ships with an upstream autoloader (/usr/share/php/PHPMailer/PHPMailerAutoload.php), and doesn't use namespaces: the PHPMailer class is PHPMailer. php-phpmailer-5.2.27 should work flawlessy as an update for php-phpmailer-5.2.24. phpmailer 6.x, packaged in cauldron, use a custom autoloader (usr/share/php/PHPMailer/autoload.php), based on fedora code, because upstream doesn't provide one anymore, and use namespaces: the PHPMailer class is now actually PHPMailer\PHPMailer\PHPMailer. It won't work as an update for php-phpmailer-5.x without a few adaptations. In both case, using the autoloader is just a shortcut to import all classes at once, insted of importing each required file separatly. See https://github.com/PHPMailer/PHPMailer/blob/master/UPGRADING.md for some explanations. And if you need test cases, this package ships its own examples in /usr/share/doc/php-phpmailer/examples, that are supposed to be version-consistent.
Testing M6 x64 At last - Bingo! Thanks Guillaume for the help. I disabled the two 'use' statements, and it worked immediately: $ php mailtest.php 2019-01-03 20:03:22 SERVER -> CLIENT: 220 smtp4-g21.free.fr ESMTP Postfix 2019-01-03 20:03:22 CLIENT -> SERVER: EHLO localhost.localdomain 2019-01-03 20:03:22 SERVER -> CLIENT: 250-smtp4-g21.free.fr etc etc 2019-01-03 20:03:22 CLIENT -> SERVER: STARTTLS 2019-01-03 20:03:22 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS 2019-01-03 20:03:22 CLIENT -> SERVER: EHLO localhost.localdomain 2019-01-03 20:03:22 SERVER -> CLIENT: 250-smtp4-g21.free.fr etc etc 2019-01-03 20:03:22 CLIENT -> SERVER: MAIL FROM:<xxx@free.fr> 2019-01-03 20:03:22 SERVER -> CLIENT: 250 2.1.0 Ok 2019-01-03 20:03:22 CLIENT -> SERVER: RCPT TO:<xxx@free.fr> 2019-01-03 20:03:22 SERVER -> CLIENT: 250 2.1.5 Ok 2019-01-03 20:03:22 CLIENT -> SERVER: DATA 2019-01-03 20:03:22 SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF> 2019-01-03 20:03:22 CLIENT -> SERVER: Date: Thu, 3 Jan 2019 20:03:22 +0000 2019-01-03 20:03:22 CLIENT -> SERVER: To: Joe User <yyy@free.fr> 2019-01-03 20:03:22 CLIENT -> SERVER: From: Mailer <yyy@free.fr> 2019-01-03 20:03:22 CLIENT -> SERVER: Reply-To: Information <xxx@free.fr> 2019-01-03 20:03:22 CLIENT -> SERVER: Subject: Here is the subject 2019-01-03 20:03:22 CLIENT -> SERVER: Message-ID: <f76fda5c4bb1bb4ab1ea318e2bd88ed1@localhost.localdomain> 2019-01-03 20:03:22 CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.27 (https://github.com/PHPMailer/PHPMailer) 2019-01-03 20:03:22 CLIENT -> SERVER: MIME-Version: 1.0 2019-01-03 20:03:22 CLIENT -> SERVER: Content-Type: multipart/alternative; 2019-01-03 20:03:22 CLIENT -> SERVER: boundary="b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1" 2019-01-03 20:03:22 CLIENT -> SERVER: Content-Transfer-Encoding: 8bit 2019-01-03 20:03:22 CLIENT -> SERVER: 2019-01-03 20:03:22 CLIENT -> SERVER: This is a multi-part message in MIME format. 2019-01-03 20:03:22 CLIENT -> SERVER: 2019-01-03 20:03:22 CLIENT -> SERVER: --b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1 2019-01-03 20:03:22 CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii 2019-01-03 20:03:22 CLIENT -> SERVER: 2019-01-03 20:03:22 CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients ... 2019-01-03 20:03:22 CLIENT -> SERVER: --b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1 2019-01-03 20:03:22 CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii 2019-01-03 20:03:22 CLIENT -> SERVER: 2019-01-03 20:03:22 CLIENT -> SERVER: This is the HTML message body <b>in bold!</b> ... --b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1-- 2019-01-03 20:03:22 CLIENT -> SERVER: 2019-01-03 20:03:22 CLIENT -> SERVER: . 2019-01-03 20:03:22 SERVER -> CLIENT: 250 2.0.0 Ok: queued as 3DDFB19F5BD 2019-01-03 20:03:22 CLIENT -> SERVER: QUIT 2019-01-03 20:03:22 SERVER -> CLIENT: 221 2.0.0 Bye Message has been sent and I received the e-mail "This is the HTML message body in bold!". ----------------------------------------------------------------- For future Mageia 6 test reference, here is the start of the PHP test script that worked: <?php //Load Composer's autoloader require '/usr/share/php/PHPMailer/PHPMailerAutoload.php'; $mail = new PHPMailer(true); etc etc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OKing, validating, advisory from comments 3 & 2.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED