Fedora has issued an advisory on June 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/ The issues are fixed upstream in 6.5.0: https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3 https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-7q44-r25x-wm4q Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 6.5.0CC: (none) => mramboWhiteboard: (none) => MGA8TOO, MGA7TOO
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => mageiaCC: (none) => ouaurelien
Updated packages uploaded by Marc. php-phpmailer-6.5.0-1.mga7 php-phpmailer-6.5.0-1.mga8
CC: (none) => mageiaStatus comment: Fixed upstream in 6.5.0 => (none)Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: mageia => qa-bugsVersion: Cauldron => 8
@David: thanks - I didn't have the time, to check the changelog and the CVE's fixed, I'll write an advisory this evening.
Updated php-phpmailer packages fix security vulnerabilities: PHPMailer contained a vulnerability that can result in untrusted code being called. [2] PHPMailer allowed object injection through Phar Deserialization via addAttachment with a UNC pathname. [3] Full release notes available on [1] References: [1] https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36326 ======================== Updated packages in core/updates_testing: php-phpmailer-6.5.0-1.mga8.noarch SRPM: php-phpmailer-6.5.0-1.mga8.src.rpm
CVE: (none) => CVE-2021-34551, CVE-2021-3603
CVE: CVE-2021-34551, CVE-2021-3603 => CVE-2021-36326, CVE-2021-3603
You forgot CVE-2021-34551. Upstream reference for CVE-2021-36326: https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66 That one didn't affect us, so shouldn't be listed.
CVE: CVE-2021-36326, CVE-2021-3603 => CVE-2021-34551, CVE-2021-3603
nope, 34551 is only on windows - so it did not affect us either.
Indeed.
Summary: php-phpmailer new security issues CVE-2021-3603 and CVE-2021-34551 => php-phpmailer new security issue CVE-2021-3603CVE: CVE-2021-34551, CVE-2021-3603 => CVE-2021-3603
Installed and tested without issues. Tested using several production level PHP script without regressions. Also tested using the attached minimal PHP script. System: Mageia 7, x86_64, PHP 7.3.28, Intel CPU. $ uname -a Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q php-phpmailer php-phpmailer-6.5.0-1.mga7 $ php --version PHP 7.3.28 (cli) (built: Apr 27 2021 16:53:53) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.28, Copyright (c) 1998-2018 Zend Technologies
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => mageia
Created attachment 12825 [details] PHPMailer minimal test script
I tried to use the test script, I really did. But I don't have a clue about running it, or php. Somebody else needs to test this, or we just pass the Mageia 8 update along on a clean install. I DID get that far...
CC: (none) => andrewsfarm
Well, this is embarrassing. I finally figured out what was wrong. When I installed php-phpmailer and dependencies, php-cli wasn't among them. So there I was, trying to learn why the "php" command couldn't be found, when it was because it hadn't been installed! No installation issues on the update. Failed to get the script to run until I installed php-cli. After that, it ran just fine. Connected to one of my gmail accounts, and successfully sent mail to another of them. Giving this an OK, and Validating. Advisory in Comment 4. Now I need to go bandage the spot where I've been banging my head against the wall...
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Just to add, Thunderbird received the test email, so, of course, that confirms that it was sent successfully.
type: security subject: Updated php-phpmailer package fixes security vulnerability CVE: - CVE-2021-3603 src: 7: core: - php-phpmailer-6.5.0-1.mga7 8: core: - php-phpmailer-6.5.0-1.mga8 description: | PHPMailer contained a vulnerability that can result in untrusted code being called (CVE-2021-3603). See upstream release notes. references: - https://bugs.mageia.org/show_bug.cgi?id=29183 - https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0 - https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0345.html
Status: NEW => RESOLVEDResolution: (none) => FIXED