Fedora has issued an advisory on June 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OBRDMEV3CB44CAAF5BOHFNV23JVRO6PZ/ The issue is fixed upstream in 6.1.6: https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Updated package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated php-phpmailer package fixes security vulnerability: Fix insufficient output escaping bug in file attachment names (CVE-2020-13625). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OBRDMEV3CB44CAAF5BOHFNV23JVRO6PZ/ https://github.com/advisories/GHSA-f7hx-fqxw-rvvj https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13625 ======================== Updated packages in core/updates_testing: ======================== php-phpmailer-6.1.6-1.mga7.noarch.rpm from php-phpmailer-6.1.6-1.mga7.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=20069#c9
CC: (none) => mramboWhiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: bugsquad => qa-bugsKeywords: (none) => has_procedure
Installed and tested OK. Tested using several production level PHP script and no issues were noticed. Also tested using the minimal test PHP script below. System: Mageia 7, x86_64, PHP 7.3.19, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q php-phpmailer php-phpmailer-6.1.6-1.mga7 $ php --version PHP 7.3.19 (cli) (built: Jun 19 2020 09:13:44) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies $ rpm -qa | grep php | sort apache-mod_php-7.3.19-2.mga7 lib64php_common7-7.3.19-2.mga7 php-bz2-7.3.19-2.mga7 php-channel-phpunit-1.3-16.mga7 php-cli-7.3.19-2.mga7 php-ctype-7.3.19-2.mga7 php-curl-7.3.19-2.mga7 php-dom-7.3.19-2.mga7 php-exif-7.3.19-2.mga7 php-fileinfo-7.3.19-2.mga7 php-filter-7.3.19-2.mga7 php-fpm-7.3.19-2.mga7 php-ftp-7.3.19-2.mga7 php-gd-7.3.19-2.mga7 php-gettext-7.3.19-2.mga7 php-hash-7.3.19-2.mga7 php-iconv-7.3.19-2.mga7 php-imagick-3.4.4-1.mga7 php-ini-7.3.19-2.mga7 php-intl-7.3.19-2.mga7 php-json-7.3.19-2.mga7 php-ldap-7.3.19-2.mga7 php-mbstring-7.3.19-2.mga7 phpmyadmin-4.9.5-1.mga7 php-mysqli-7.3.19-2.mga7 php-mysqlnd-7.3.19-2.mga7 php-openssl-7.3.19-2.mga7 php-pdo-7.3.19-2.mga7 php-pdo_mysql-7.3.19-2.mga7 php-pdo_sqlite-7.3.19-2.mga7 php-pear-1.10.9-1.mga7 php-pear-Auth_SASL-1.1.0-1.mga7 php-pear-channel-horde-1.0-21.mga7 php-pear-channel-symfony2-1.0-7.mga7 php-pear-Console_Color2-0.1.2-7.mga7 php-pear-Console_CommandLine-1.2.2-2.mga7 php-pear-Console_Getargs-1.4.0-2.mga7 php-pear-Console_Table-1.3.1-2.mga7 php-pear-Crypt_GPG-1.6.3-1.mga7 php-pear-DbUnit-1.3.1-6.mga7 php-pear-Event_Dispatcher-1.1.0-10.mga7 php-pear-File_Find-1.3.3-5.mga7 php-pear-File_Iterator-1.3.4-6.mga7 php-pear-HTML_Common-1.2.5-9.mga7 php-pear-HTML_CSS-1.5.4-12.mga7 php-pear-HTML_Table-1.8.4-2.mga7 php-pear-HTTP_Request2-2.3.0-2.mga7 php-pear-Mail_Mime-1.10.2-2.mga7 php-pear-Net_IDNA2-0.2.0-2.mga7 php-pear-Net_LDAP2-2.2.0-1.mga7 php-pear-Net_Sieve-1.4.4-1.mga7 php-pear-Net_SMTP-1.8.1-1.mga7 php-pear-Net_Socket-1.2.2-2.mga7 php-pear-Net_URL2-2.2.1-2.mga7 php-pear-PEAR_PackageFileManager-1.7.2-2.mga7 php-pear-PEAR_PackageFileManager2-1.0.4-6.mga7 php-pear-PEAR_PackageFileManager_Plugins-1.0.4-2.mga7 php-pear-PHP_CodeCoverage-1.2.17-6.mga7 php-pear-PHP_CompatInfo-1.9.0-13.mga7 php-pear-PHP_Invoker-1.1.3-6.mga7 php-pear-PHP_Timer-1.0.5-6.mga7 php-pear-PHP_TokenStream-1.2.2-5.mga7 php-pear-PHPUnit-3.7.34-4.mga7 php-pear-PHPUnit_MockObject-1.2.3-6.mga7 php-pear-PHPUnit_Selenium-1.3.3-6.mga7 php-pear-PHPUnit_Story-1.0.2-6.mga7 php-pear-Services_W3C_CSSValidator-0.2.3-7.mga7 php-pear-Symfony2_Yaml-2.4.4-5.mga7 php-pear-Text_Diff-1.2.2-2.mga7 php-pear-Text_Template-1.2.0-5.mga7 php-pear-XML_Parser-1.3.7-2.mga7 php-pear-XML_Serializer-0.21.0-2.mga7 php-phpmailer-6.1.6-1.mga7 php-posix-7.3.19-2.mga7 php-session-7.3.19-2.mga7 php-sockets-7.3.19-2.mga7 php-sysvsem-7.3.19-2.mga7 php-sysvshm-7.3.19-2.mga7 php-tokenizer-7.3.19-2.mga7 php-xml-7.3.19-2.mga7 php-xmlreader-7.3.19-2.mga7 php-xmlwriter-7.3.19-2.mga7 php-zip-7.3.19-2.mga7 php-zlib-7.3.19-2.mga7 =======BEGIN mailtest.php <?php require "PHPMailer.php"; require "Exception.php"; require "SMTP.php"; use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\Exception; use PHPMailer\PHPMailer\SMTP; ////////////////// /// Set these variables to something appropriate for your email SMTP account. $SMTP_HOST = ""; $SMTP_USERNAME = ""; $SMTP_PASSWORD = ""; $FROM_EMAIL = ""; $FROM_NAME = ""; $REPLY_EMAIL = "" $REPLY_NAME = "" ////////////// $mail = new PHPMailer; $mail->Mailer = "smtp"; $mail->Host = $SMTP_HOST; $mail->Username = $SMTP_USERNAME; $mail->Password = $SMTP_PASSWORD; $mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS; $mail->SMTPAuth = true; $mail->AuthType = "PLAIN"; $mail->SMTPDebug = SMTP::DEBUG_LOWLEVEL; $mail->setFrom($FROM_EMAIL, $FROM_NAME); $mail->addReplyTo($REPLY_EMAIL, $REPLY_NAME); $mail->addAddress($TO_EMAIL, $TO_NAME); $mail->Subject = 'PHPMailer mail() test'; $mail->msgHTML(file_get_contents('contents.html'), __DIR__); $mail->AltBody = 'This is a plain-text message body'; $mail->addAttachment('image.png'); if (!$mail->send()) { echo 'Mailer Error: '. $mail->ErrorInfo; } else { echo 'Message sent!'; } ?> =======END mailtest.php
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
srpm in advisory on svn fixed.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0313.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED