Bug 26760 - php-phpmailer new security issue CVE-2020-13625
Summary: php-phpmailer new security issue CVE-2020-13625
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: has_procedure
Depends on:
Blocks:
 
Reported: 2020-06-09 22:47 CEST by David Walser
Modified: 2020-06-11 18:47 CEST (History)
1 user (show)

See Also:
Source RPM: php-phpmailer-6.0.6-5.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-09 22:47:00 CEST
Fedora has issued an advisory on June 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OBRDMEV3CB44CAAF5BOHFNV23JVRO6PZ/

The issue is fixed upstream in 6.1.6:
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj

Mageia 7 is also affected.
David Walser 2020-06-09 22:47:17 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Mike Rambo 2020-06-11 18:47:07 CEST
Updated package uploaded for cauldron and Mageia 7.

Advisory:
========================

Updated php-phpmailer package fixes security vulnerability:

Fix insufficient output escaping bug in file attachment names (CVE-2020-13625).


References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OBRDMEV3CB44CAAF5BOHFNV23JVRO6PZ/
https://github.com/advisories/GHSA-f7hx-fqxw-rvvj
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13625
========================

Updated packages in core/updates_testing:
========================
php-phpmailer-6.1.6-1.mga7.noarch.rpm

from php-phpmailer-6.1.6-1.mga7.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=20069#c9

CC: (none) => mrambo
Keywords: (none) => has_procedure
Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)


Note You need to log in before you can comment on or make changes to this bug.