Debian Bug report logs -
#429179
CVE-2007-3215: remote shell command execution
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 16 Jun 2007 08:24:02 UTC
Severity: grave
Tags: security, upstream
Fixed in version libphp-phpmailer/1.73-4
Done: Kevin Coyner <kevin@rustybear.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kevin@rustybear.com>:
Bug#429179; Package libphp-phpmailer.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Kevin Coyner <kevin@rustybear.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libphp-phpmailer
Severity: grave
Tags: security upstream
A remote shell command injection vulnerability has been reported:
https://sourceforge.net/tracker/index.php?func=detail&aid=1734811&group_id=26031&atid=385707
A stable security update is necessary for this bug.
Please mention the name CVE-2007-3215 in the changelog when fixing
this bug.
Information forwarded to debian-bugs-dist@lists.debian.org, kevin@rustybear.com:
Bug#429179; Package libphp-phpmailer.
(full text, mbox, link).
Acknowledgement sent to Kevin Coyner <kevin@rustybear.com>:
Extra info received and forwarded to list. Copy sent to kevin@rustybear.com.
(full text, mbox, link).
Message #10 received at 429179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libphp-phpmailer
Followup-For: Bug #429179
A patch has been prepared to fix this. Source files can be found at:
http://mentors.debian.net/debian/pool/main/l/libphp-phpmailer/libphp-phpmailer_1.73-4.dsc
I have contacted my previous sponsor for this package and requested
an upload.
--
Kevin Coyner GnuPG key: 1024D/8CE11941
[signature.asc (application/pgp-signature, inline)]
Reply sent to Kevin Coyner <kevin@rustybear.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 429179-close@bugs.debian.org (full text, mbox, reply):
Source: libphp-phpmailer
Source-Version: 1.73-4
We believe that the bug you reported is fixed in the latest version of
libphp-phpmailer, which is due to be installed in the Debian FTP archive:
libphp-phpmailer_1.73-4.diff.gz
to pool/main/libp/libphp-phpmailer/libphp-phpmailer_1.73-4.diff.gz
libphp-phpmailer_1.73-4.dsc
to pool/main/libp/libphp-phpmailer/libphp-phpmailer_1.73-4.dsc
libphp-phpmailer_1.73-4_all.deb
to pool/main/libp/libphp-phpmailer/libphp-phpmailer_1.73-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 429179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Coyner <kevin@rustybear.com> (supplier of updated libphp-phpmailer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 16 Jun 2007 21:02:47 -0400
Source: libphp-phpmailer
Binary: libphp-phpmailer
Architecture: source all
Version: 1.73-4
Distribution: unstable
Urgency: high
Maintainer: Kevin Coyner <kevin@rustybear.com>
Changed-By: Kevin Coyner <kevin@rustybear.com>
Description:
libphp-phpmailer - full featured email transfer class for PHP
Closes: 429179
Changes:
libphp-phpmailer (1.73-4) unstable; urgency=high
.
* High urgency upload for security bug fix.
* Apply patch to properly validate input to prevent shell command execution
in class.phpmailer.php. See CVE-2007-3215. Closes: #429179.
* Add dpatch as Build-Depends.
Files:
5231fb00c5ae2717e4ecc23943b80cfe 890 web optional libphp-phpmailer_1.73-4.dsc
0b238499f492de820badab0f199838e0 3002 web optional libphp-phpmailer_1.73-4.diff.gz
ebdb4db2b236c62733a25b159a30ee77 64722 web optional libphp-phpmailer_1.73-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRnjEdGz0hbPcukPfAQKrMwgAtKiKEx85CAPvzpwYQ5vJi9mu1iPkbnfU
0a0ICCzEP0WAqJjiChXWxSyQkkF1oRzp2vDJw7019ho2aJk7Gfxkm7CfaUCyv1Or
3TBOCCq5/wNb1CAZrx5P/vhduJ5a+URGmn/ViBwtZUcK7j/IRajxglh4BL2YGK9d
+jg6hELUmPkXSm6u8vG4lvoT8ZwUjM9edmh6t0QNvOUhFJGZpfk87Ec/ykb5UIkk
CYy6ad0vuhxXucMX86YtuSd079r0CNo+YZiBCHnEoTe0wig5JlkRjL1mg954eM6H
X2JFnbJDlHiExVR11D1MtHShEefxcypMW0MdG30mHtY7z+Qph5bFzw==
=bhjl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 17 Aug 2007 07:30:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon