Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libphp-phpmailer: CVE-2017-5223

Related Vulnerabilities: CVE-2017-5223  

Source

Debian Bug report logs - #853232
libphp-phpmailer: CVE-2017-5223

version graph

Package: libphp-phpmailer; Maintainer for libphp-phpmailer is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>; Source for libphp-phpmailer is src:libphp-phpmailer (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 30 Jan 2017 18:27:01 UTC

Severity: grave

Tags: patch, pending, security

Found in versions libphp-phpmailer/5.2.9+dfsg-2, libphp-phpmailer/5.1-1.1

Fixed in version libphp-phpmailer/5.2.14+dfsg-2.3

Done: Markus Koschany <apo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#853232; Package libphp-phpmailer. (Mon, 30 Jan 2017 18:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Mon, 30 Jan 2017 18:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libphp-phpmailer: CVE-2017-5223
Date: Mon, 30 Jan 2017 19:24:02 +0100
Package: libphp-phpmailer
Severity: grave
Tags: security
Justification: user security hole

Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5223
for details.

Cheers,
        Moritz

Marked as found in versions libphp-phpmailer/5.2.9+dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 30 Jan 2017 19:00:03 GMT) (full text, mbox, link).

Marked as found in versions libphp-phpmailer/5.1-1.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Feb 2017 09:39:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#853232; Package libphp-phpmailer. (Sat, 25 Feb 2017 18:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Sat, 25 Feb 2017 18:39:03 GMT) (full text, mbox, link).

Message #14 received at 853232@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 853232@bugs.debian.org
Subject: libphp-phpmailer: diff for NMU version 5.2.14+dfsg-2.3
Date: Sat, 25 Feb 2017 19:37:54 +0100
[Message part 1 (text/plain, inline)]
Control: tags 853232 + patch
Control: tags 853232 + pending

Dear maintainer,

I've prepared an NMU for libphp-phpmailer (versioned as 5.2.14+dfsg-2.3) and
uploaded it to unstable.

Regards,

Markus

[libphp-phpmailer-5.2.14+dfsg-2.3-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Markus Koschany <apo@debian.org> to 853232-submit@bugs.debian.org. (Sat, 25 Feb 2017 18:39:03 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Markus Koschany <apo@debian.org> to 853232-submit@bugs.debian.org. (Sat, 25 Feb 2017 18:39:03 GMT) (full text, mbox, link).

Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Sat, 25 Feb 2017 19:09:14 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 25 Feb 2017 19:09:14 GMT) (full text, mbox, link).

Message #23 received at 853232-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 853232-close@bugs.debian.org
Subject: Bug#853232: fixed in libphp-phpmailer 5.2.14+dfsg-2.3
Date: Sat, 25 Feb 2017 19:04:35 +0000
Source: libphp-phpmailer
Source-Version: 5.2.14+dfsg-2.3

We believe that the bug you reported is fixed in the latest version of
libphp-phpmailer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 853232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libphp-phpmailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Feb 2017 19:15:08 +0100
Source: libphp-phpmailer
Binary: libphp-phpmailer
Architecture: source
Version: 5.2.14+dfsg-2.3
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libphp-phpmailer - full featured email transfer class for PHP
Closes: 853232
Changes:
 libphp-phpmailer (5.2.14+dfsg-2.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2017-5223:
     It was discovered that there was a local file disclosure vulnerability in
     libphp-phpmailer, a email transfer class for PHP, where insufficient
     parsing of HTML messages could potentially be used by attacker to read a
     local file. (Closes: #853232)
Checksums-Sha1:
 58cc71ccdef06f59d607617b2a0b25082db16dfb 2236 libphp-phpmailer_5.2.14+dfsg-2.3.dsc
 3545c0db5ed7f10c7f281e89d6884d5d0f2d7bc3 9820 libphp-phpmailer_5.2.14+dfsg-2.3.debian.tar.xz
 e31aef1aa5b6c70912e9f5e095d72f719c48c829 5137 libphp-phpmailer_5.2.14+dfsg-2.3_amd64.buildinfo
Checksums-Sha256:
 20611934776becfef45a5414baf8df4051bc506282cc31485dd97b08e932debf 2236 libphp-phpmailer_5.2.14+dfsg-2.3.dsc
 8b14fa0868618689327432bce2c170f2c7e47b972b5eb627ca0221a4f75455db 9820 libphp-phpmailer_5.2.14+dfsg-2.3.debian.tar.xz
 84c15835e2959b7a234f49d2f52dd235730466f5e946ad9170ce22035f6de4c9 5137 libphp-phpmailer_5.2.14+dfsg-2.3_amd64.buildinfo
Files:
 fafe9e5b36cc38295d29732b1e7bbfef 2236 php optional libphp-phpmailer_5.2.14+dfsg-2.3.dsc
 612ef8cad8b10a0751b58cb779691f10 9820 php optional libphp-phpmailer_5.2.14+dfsg-2.3.debian.tar.xz
 da8c49c3719dc4978985574c6798b2b7 5137 php optional libphp-phpmailer_5.2.14+dfsg-2.3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlixz0tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkceUQAJchJkl42Tx6cfv+twE0/iDjKa4/V/L6Pmzw
AMG/N0Cm41qOv6IUIxI2hvP7MclkYD6WhzPcNeY2Ji1/bNWsGFuQfngiHFamUk7/
gxTG82Su3iGYRjEJ30tF2xNwlrMvOm8jYqjePEIFdLi8GWG0PYHY2SJFLKoO6Gc8
ZVtGjT6oBMHFiqz9YwjHORXgQebwTUPohTj7zYXIXMFTt7YwE/3yI44vwsjG81EL
LHRkQ3S/dWG3uA/IpOiLkBv/SWotKAWfL/zp6U4k+krVHuJRRs/AUW+n1uJ/D5qe
Q5PEMJtuFYdgb/6EEB66e10DYSXEWpfsTC5zBteBN6UgOLleoWnvuo63A53jPthg
RZVaLR6CfGug0sQZWFTjTSIZt3eFrSEj6wwbv8t9hkle/K+fJxXbjf0eVU24eOU0
he/ybidyvTzjWUtDMF/N/8u6IwKNlsfndrEEjr3xDEChAHV70y2t2zjK6rvVFs4o
sujFQPyQxF4gUeskvWHx/il7XHbtcdc5PhcahErnjKpfT3R7qPmh86UwxTHMlb8N
QQciZ1YerIbc7M2IhRx56is1XVMqq8VP9c8IgJtbjO0F37ynmCFHyV39uf5HqGft
9VOHy/vwXu7BG7E6nC27VxO4yQ17SclA5QE5gu6JeMXsk8ZimLuxeU8aN5J4mFth
2DI3IDNC
=oPru
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#853232; Package libphp-phpmailer. (Sat, 25 Feb 2017 19:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Sat, 25 Feb 2017 19:12:04 GMT) (full text, mbox, link).

Message #28 received at 853232@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 853232@bugs.debian.org
Subject: libphp-phpmailer: diff for NMU version 5.2.14+dfsg-2.3
Date: Sat, 25 Feb 2017 19:24:08 +0100
[Message part 1 (text/plain, inline)]
Control: tags 853232 + patch
Control: tags 853232 + pending

Dear maintainer,

I've prepared an NMU for libphp-phpmailer (versioned as 5.2.14+dfsg-2.3) and
uploaded it to unstable.

Regards,

Markus

[libphp-phpmailer-5.2.14+dfsg-2.3-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Markus Koschany <apo@debian.org> to 853232-submit@bugs.debian.org. (Sat, 25 Feb 2017 19:12:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:36:54 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:02:21 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started