Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0010.2 libphp-phpmailer security update 4 January 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libphp-phpmailer Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-10045 CVE-2016-10033 Original Bulletin: http://www.debian.org/security/2016/dsa-3750 Revision History: January 4 2017: A functionally regression was discovered in some specific usage scenarios of PHPMailer following the security update of DSA-3750 January 3 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3750-2 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst January 3, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libphp-phpmailer CVE ID : CVE-2016-10033 Debian Bug : 849365 A functionally regression was discovered in some specific usage scenarios of PHPMailer following the security update of DSA-3750. New packages have been released which correct the problem. The original advisory text follows for referecen. Dawid Golunski discovered that PHPMailer, a popular library to send email from PHP applications, allowed a remote attacker to execute code if they were able to provide a crafted Sender address. Note that for this issue also CVE-2016-10045 was assigned, which is a regression in the original patch proposed for CVE-2016-10033. Because the origial patch was not applied in Debian, Debian was not vulnerable to CVE-2016-10045. For the stable distribution (jessie), this problem has been fixed in version 5.2.9+dfsg-2+deb8u3. For the unstable distribution (sid), this problem has been fixed in version 5.2.14+dfsg-2.2. We recommend that you upgrade your libphp-phpmailer packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYa+25AAoJEFb2GnlAHawEUs8IAKYahU2KZMkzgjYBA1lmZ+2U 0GubkSidGQMkljRSXBzqCC/1+VZxHSvIDThLT8UkD8KCExoKrqtmilfFz65m2Eo4 kFVLMz0uG+sv9G9pd4dPlkWusvQVLZaP7xceqqVlIbvmAjNoAJJQ3C8nXLJFqPW+ x7g/QHK6q4QzC5aOJCgHuTxsG3geTKI1aa4TfMtK9Akusk7QM8GmPjJW3F9vt19V +XW0SLmhPT7W/GY5PaYfNtZmrnhWCltSpMMsANkaHSEyqqMe7arPyhbdbZnh5Y3E PrNOK2sIEWI/P3PXm0w93z0T2pFLSjLXHD72rGtIvPy8PWmt76QnFocNE4dpwFY= =HZaN - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3750-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst December 31, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libphp-phpmailer CVE ID : CVE-2016-10033 Debian Bug : 849365 Dawid Golunski discovered that PHPMailer, a popular library to send email from PHP applications, allowed a remote attacker to execute code if they were able to provide a crafted Sender address. Note that for this issue also CVE-2016-10045 was assigned, which is a regression in the original patch proposed for CVE-2016-10033. Because the origial patch was not applied in Debian, Debian was not vulnerable to CVE-2016-10045. For the stable distribution (jessie), this problem has been fixed in version 5.2.9+dfsg-2+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 5.2.14+dfsg-2.1. We recommend that you upgrade your libphp-phpmailer packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYZ4upAAoJEFb2GnlAHawEhbcH/joHWmVH54g/p+YII4WweBhv Q1Mamu60laNir/PmVKRI8kddVx78KkSGc0lgmCfp2e5N40TH182kiWujvYxalzUo B5hKTIb3XWIpT0LOyckTxODSyMXQEU3hKb9vcTgrXUynpjmJTSKQWy3j4ckRj5FF bpcs9opSpnqXhWvn4SW373ikJoYqrcZw0uytMhSzHWCWbStdJ6ccyQJuzrctxFBt oXCiae8aPmcJPHwD9A6bbLE75vAbioMmznGOSEXWv7BHHpjwKCDXmmblwift5bgJ m5plMdeNf6EZn+f3KslDcETdeJxeufe0jtxskQJQqKdewIiy+xl7ZyKiMNisTn0= =sfTk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWGw3Uox+lLeg9Ub1AQgSDxAAoLnfsm4Ie4JkUTWPR/NHy53UKtCYUK9Q Mso0vI8FYibrLGl11A9kRwvzgXNCMphdfDcDahCny+Dv8tTsb9rdEg+51VVMjbaL 0AtQPz9jAjmn0Sw4QPGJutfgrKn4RV8I4R3xVZ8tXcJ9E8VrYhMq/K0h7AnbehFm T6zjUgRdEq9GaCsiLpm5aQvxvgbwmT+xtLE0gwI1tY+dYDsH5wyJnKJaDnWk9o+5 UmewuePCu4mEB9+jSTTLNcs/GdNbC+89dAbSuKB0lgr2vJY5uVuLT08uhcOtKokI iWOoQj52S92A+pYo2xTOHHxsO2ROQNpJrfq3JX+5X2QDlzZCPw9n9VcP/WcXJRVc 9LtluOHjLSPr+5dx5hNlaCD0MUvBw2O9AkkiTo68SZGEXncmFqaZXcquE7Pvyd0p +V4D+4OKAFUe/cJvWfSLftIZYhlzgZexmHB6B1j9TuFR3ULV027dVmVYhvUKLbGp UyZxbNWyjrwOe08e3uqQkBO73RakdPIeBt63ePybgpeTtAvuqcUuZ7+EFcRW8D05 55BntI4Qb7l2oLwK27F1jXVSDvg9yfmoIWh0Cr25jS3h7mW/6kvEt3eL6SIh3Ca+ 5DowZFalHywR1usxOBZMSbNUPZNacV65U3uXMtH3Bqn7AYY3k94hmZk7+JstUNvy pbH1FdCIQsc= =/+tM -----END PGP SIGNATURE-----