Debian Bug report logs -
#849626
libphp-swiftmailer: CVE-2016-10074
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 29 Dec 2016 10:00:05 UTC
Severity: grave
Tags: security, upstream
Found in version libphp-swiftmailer/5.2.2-1
Fixed in version libphp-swiftmailer/5.4.2-1.1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nicolas Roudaire <nikrou77@gmail.com>:
Bug#849626; Package src:libphp-swiftmailer.
(Thu, 29 Dec 2016 10:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nicolas Roudaire <nikrou77@gmail.com>.
(Thu, 29 Dec 2016 10:00:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libphp-swiftmailer
Version: 5.2.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for libphp-swiftmailer.
CVE-2016-10074[0]:
Remote Code Execution
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10074
[1] https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Nicolas Roudaire <nikrou77@gmail.com>:
Bug#849626; Package src:libphp-swiftmailer.
(Wed, 04 Jan 2017 16:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Nicolas Roudaire <nikrou77@gmail.com>.
(Wed, 04 Jan 2017 16:54:04 GMT) (full text, mbox, link).
Message #10 received at 849626@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've taken the liberty to fix this security issue in an NMU to sid.
Attached is the debdiff.
Cheers,
Thijs
[849626.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Wed, 04 Jan 2017 17:06:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Jan 2017 17:06:15 GMT) (full text, mbox, link).
Message #15 received at 849626-close@bugs.debian.org (full text, mbox, reply):
Source: libphp-swiftmailer
Source-Version: 5.4.2-1.1
We believe that the bug you reported is fixed in the latest version of
libphp-swiftmailer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libphp-swiftmailer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Jan 2017 16:31:03 +0000
Source: libphp-swiftmailer
Binary: php-swiftmailer libphp-swiftmailer
Architecture: source all
Version: 5.4.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Nicolas Roudaire <nikrou77@gmail.com>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
libphp-swiftmailer - transitional dummy package
php-swiftmailer - ${phpcomposer:description}
Closes: 849626
Changes:
libphp-swiftmailer (5.4.2-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2016-10074: Remote Code Execution by applying patch
e6ccf40d from upstream (Closes: #849626).
Checksums-Sha1:
5645df04732720d403d450275ff52bb8b8d33ce7 1696 libphp-swiftmailer_5.4.2-1.1.dsc
3790535de39003b36c1ca2f8b5f6ec469abc8d8f 4800 libphp-swiftmailer_5.4.2-1.1.debian.tar.xz
22ba395e1e9c9e55dfb8b0ed6f189ace2f097a68 6254 libphp-swiftmailer_5.4.2-1.1_all.deb
e2ef86e27ff7bfac36baf7e6e5717674e6aca6f2 5579 libphp-swiftmailer_5.4.2-1.1_amd64.buildinfo
4d3eff0fe5d7109714cee3853b9df65c9a14edc7 225414 php-swiftmailer_5.4.2-1.1_all.deb
Checksums-Sha256:
50d39b8aa7e005056395ce2cdeafb2369d5c88604b4a94ca938b8d4a9ce010ed 1696 libphp-swiftmailer_5.4.2-1.1.dsc
0900889a3684f7bf50115e44670cc41f2eca5f9926c1136f84787e528fcafb8e 4800 libphp-swiftmailer_5.4.2-1.1.debian.tar.xz
e5cadb1fee3262d3ae26d9b30f10ce4d609364ce911444296a21e03218d17e1e 6254 libphp-swiftmailer_5.4.2-1.1_all.deb
d5ccad7bd7a911272502fb0dbf475592fe9b8c240c0055985473fde74d73c573 5579 libphp-swiftmailer_5.4.2-1.1_amd64.buildinfo
a14c5745fae5010883dc99838028dab66a68c5cdb3b8bc9a485e3b12f049e6ce 225414 php-swiftmailer_5.4.2-1.1_all.deb
Files:
4cc802237deffb0ee3f7471590970779 1696 php optional libphp-swiftmailer_5.4.2-1.1.dsc
559cc659f44df3479446dc5c89874e32 4800 php optional libphp-swiftmailer_5.4.2-1.1.debian.tar.xz
de740f40d699f39c7b0624070e05dbf3 6254 php optional libphp-swiftmailer_5.4.2-1.1_all.deb
fb985b8d26dfc4d55c3d1d2e5f610ced 5579 php optional libphp-swiftmailer_5.4.2-1.1_amd64.buildinfo
79eb4047b9c8ec9104b888e5915c6f82 225414 php optional php-swiftmailer_5.4.2-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJYbSXjAAoJEFb2GnlAHawEercH/ilWQUesKkItB4MpNimIBJVv
ClyziYZx07dBd8pRJlgMB9v27lXYuxuPhmEU/Ww6U/Bu/pvdk0IWO9+aoeYK2Scw
kJmGOWg0tqAsOOnaNrbjUO0Wtu//rgBIbuoSzSji8Tf/q4WvWH6E1/lW5r2gUvt9
oyZtmoCZJawIdJFjCPTH+hqj/fLslDh4oifbU4fw5xGiJH/rOmyHAhvS8S0rrQTn
kBcv8mLjMsZJcn/Uch4e2Ps2gkmJAP0lm7cueh0mhe+Tf3tB8rG3QI/nHeve40ie
VK+QRDdf+jBqXuspSzE3A9vfoUoRrFsCtpN/Ku1siKiApFUJsnFx8I3a7nESrdw=
=7HB3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:34:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:52:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon