Bug 1409489 (CVE-2016-10033)
| Summary: | CVE-2016-10033 phpmailer: Parameter injection via mail() function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | benoit, fedora, fedora, giallu, gwync, hello, jsmith.fedora, patrick, shawn, stickster |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | phpmailer 5.2.18 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-09 12:02:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1409490, 1409491, 1409492, 1409493, 1409494, 1409495, 1409496, 1409497, 1409498, 1409504 | ||
| Bug Blocks: | |||
|
Description
Andrej Nemec
2017-01-02 09:04:54 UTC
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1409494] Affects: fedora-all [bug 1409495] Affects: epel-all [bug 1409496] Created wordpress tracking bugs for this issue: Affects: fedora-all [bug 1409497] Affects: epel-all [bug 1409498] Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1409492] Affects: epel-5 [bug 1409493] Created php-PHPMailer tracking bugs for this issue: Affects: fedora-all [bug 1409490] Affects: epel-all [bug 1409491] Created drupal8 tracking bugs for this issue: Affects: fedora-all [bug 1409504] Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer since long, so for that app the problem will be fixed as soon as the phpmailer update lands in repos. (In reply to Gianluca Sforna from comment #6) > Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer > since long, so for that app the problem will be fixed as soon as the > phpmailer update lands in repos. Hi Gianluca, thanks for the update. I am marking mantis as notaffected and will close the relevant tracking bug. All Drupal bugs closed as Drupal 7/8 are not affected. See https://www.drupal.org/psa-2016-004 > The PHPMailer and SMTP modules (and maybe others) add support for > sending e-mails using the 3rd party PHPMailer library. > In general the Drupal project does not create advisories for 3rd > party libraries. Drupal site maintainers should pay attention to > the notifications provided by those 3rd party libraries as outlined > in PSA-2011-002 - External libraries and plugins. However, given the > extreme criticality of this issue and the timing of its release we > are issuing a Public Service Announcement to alert potentially > affected Drupal site maintainers. Notice, the fix for this CVE is not enough. See CVE-2016-10045, fixed in PHPMailer 5.2.20 (5.2.21 already in testing repo) Already got those from EPEL (from Remi I guess?): php-PHPMailer-5.2.22-1.el6 php-PHPMailer-5.2.22-1.el7 Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223 for which I can not find any bug here!? (In reply to Benoit Donneaux from comment #10) > Already got those from EPEL (from Remi I guess?): > > php-PHPMailer-5.2.22-1.el6 > php-PHPMailer-5.2.22-1.el7 > > Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223 > for which I can not find any bug here!? My bad: found CVE-2016-10045 at https://bugzilla.redhat.com/show_bug.cgi?id=1412216 |