Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0010.2
libphp-phpmailer security update
4 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libphp-phpmailer
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-10045 CVE-2016-10033
Original Bulletin:
http://www.debian.org/security/2016/dsa-3750
Revision History: January 4 2017: A functionally regression was discovered in
some specific usage scenarios of PHPMailer
following the security update of DSA-3750
January 3 2017: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3750-2 security@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
January 3, 2017 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libphp-phpmailer
CVE ID : CVE-2016-10033
Debian Bug : 849365
A functionally regression was discovered in some specific usage
scenarios of PHPMailer following the security update of DSA-3750. New
packages have been released which correct the problem. The original
advisory text follows for referecen.
Dawid Golunski discovered that PHPMailer, a popular library to send
email from PHP applications, allowed a remote attacker to execute
code if they were able to provide a crafted Sender address.
Note that for this issue also CVE-2016-10045 was assigned, which is a
regression in the original patch proposed for CVE-2016-10033. Because
the origial patch was not applied in Debian, Debian was not vulnerable
to CVE-2016-10045.
For the stable distribution (jessie), this problem has been fixed in
version 5.2.9+dfsg-2+deb8u3.
For the unstable distribution (sid), this problem has been fixed in
version 5.2.14+dfsg-2.2.
We recommend that you upgrade your libphp-phpmailer packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJYa+25AAoJEFb2GnlAHawEUs8IAKYahU2KZMkzgjYBA1lmZ+2U
0GubkSidGQMkljRSXBzqCC/1+VZxHSvIDThLT8UkD8KCExoKrqtmilfFz65m2Eo4
kFVLMz0uG+sv9G9pd4dPlkWusvQVLZaP7xceqqVlIbvmAjNoAJJQ3C8nXLJFqPW+
x7g/QHK6q4QzC5aOJCgHuTxsG3geTKI1aa4TfMtK9Akusk7QM8GmPjJW3F9vt19V
+XW0SLmhPT7W/GY5PaYfNtZmrnhWCltSpMMsANkaHSEyqqMe7arPyhbdbZnh5Y3E
PrNOK2sIEWI/P3PXm0w93z0T2pFLSjLXHD72rGtIvPy8PWmt76QnFocNE4dpwFY=
=HZaN
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3750-1 security@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
December 31, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libphp-phpmailer
CVE ID : CVE-2016-10033
Debian Bug : 849365
Dawid Golunski discovered that PHPMailer, a popular library to send
email from PHP applications, allowed a remote attacker to execute
code if they were able to provide a crafted Sender address.
Note that for this issue also CVE-2016-10045 was assigned, which is a
regression in the original patch proposed for CVE-2016-10033. Because
the origial patch was not applied in Debian, Debian was not vulnerable
to CVE-2016-10045.
For the stable distribution (jessie), this problem has been fixed in
version 5.2.9+dfsg-2+deb8u2.
For the unstable distribution (sid), this problem has been fixed in
version 5.2.14+dfsg-2.1.
We recommend that you upgrade your libphp-phpmailer packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJYZ4upAAoJEFb2GnlAHawEhbcH/joHWmVH54g/p+YII4WweBhv
Q1Mamu60laNir/PmVKRI8kddVx78KkSGc0lgmCfp2e5N40TH182kiWujvYxalzUo
B5hKTIb3XWIpT0LOyckTxODSyMXQEU3hKb9vcTgrXUynpjmJTSKQWy3j4ckRj5FF
bpcs9opSpnqXhWvn4SW373ikJoYqrcZw0uytMhSzHWCWbStdJ6ccyQJuzrctxFBt
oXCiae8aPmcJPHwD9A6bbLE75vAbioMmznGOSEXWv7BHHpjwKCDXmmblwift5bgJ
m5plMdeNf6EZn+f3KslDcETdeJxeufe0jtxskQJQqKdewIiy+xl7ZyKiMNisTn0=
=sfTk
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWGw3Uox+lLeg9Ub1AQgSDxAAoLnfsm4Ie4JkUTWPR/NHy53UKtCYUK9Q
Mso0vI8FYibrLGl11A9kRwvzgXNCMphdfDcDahCny+Dv8tTsb9rdEg+51VVMjbaL
0AtQPz9jAjmn0Sw4QPGJutfgrKn4RV8I4R3xVZ8tXcJ9E8VrYhMq/K0h7AnbehFm
T6zjUgRdEq9GaCsiLpm5aQvxvgbwmT+xtLE0gwI1tY+dYDsH5wyJnKJaDnWk9o+5
UmewuePCu4mEB9+jSTTLNcs/GdNbC+89dAbSuKB0lgr2vJY5uVuLT08uhcOtKokI
iWOoQj52S92A+pYo2xTOHHxsO2ROQNpJrfq3JX+5X2QDlzZCPw9n9VcP/WcXJRVc
9LtluOHjLSPr+5dx5hNlaCD0MUvBw2O9AkkiTo68SZGEXncmFqaZXcquE7Pvyd0p
+V4D+4OKAFUe/cJvWfSLftIZYhlzgZexmHB6B1j9TuFR3ULV027dVmVYhvUKLbGp
UyZxbNWyjrwOe08e3uqQkBO73RakdPIeBt63ePybgpeTtAvuqcUuZ7+EFcRW8D05
55BntI4Qb7l2oLwK27F1jXVSDvg9yfmoIWh0Cr25jS3h7mW/6kvEt3eL6SIh3Ca+
5DowZFalHywR1usxOBZMSbNUPZNacV65U3uXMtH3Bqn7AYY3k94hmZk7+JstUNvy
pbH1FdCIQsc=
=/+tM
-----END PGP SIGNATURE-----