Your message dated Thu, 28 Jul 2022 07:05:00 +0000 with message-id <e1ogxzs-0000s0...@fasolo.debian.org> and subject line Bug#991666: fixed in libphp-phpmailer 6.6.3-1 has caused the Debian Bug report #991666, regarding libphp-phpmailer: CVE-2021-3603 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991666: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991666 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libphp-phpmailer X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libphp-phpmailer. CVE-2021-3603[0]: | PHPMailer 6.4.1 and earlier contain a vulnerability that can result in | untrusted code being called (if such code is injected into the host | project's scope by other means). If the $patternselect parameter to | validateAddress() is set to 'php' (the default, defined by | PHPMailer::$validator), and the global namespace contains a function | called php, it will be called in preference to the built-in validator | of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of | simple strings as validator function names. https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/ Patch: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: libphp-phpmailer Source-Version: 6.6.3-1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of libphp-phpmailer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated libphp-phpmailer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Jul 2022 08:37:59 +0200 Source: libphp-phpmailer Architecture: source Version: 6.6.3-1 Distribution: unstable Urgency: medium Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 991666 Changes: libphp-phpmailer (6.6.3-1) unstable; urgency=medium . * New upstream release - Fixes CVE-2021-3603 (Closes: #991666) * Remove all patches, applied upstream Checksums-Sha1: bdbaec3d5be23002f885916e4e530b25b93761bb 1812 libphp-phpmailer_6.6.3-1.dsc 5caf96cc2eb458a764d272dedefb05bbcb14439f 102376 libphp-phpmailer_6.6.3.orig.tar.gz 6d13fd9cf400e8b98a6fce86b03c32bb7380dffa 4488 libphp-phpmailer_6.6.3-1.debian.tar.xz Checksums-Sha256: 1ed4560c82906f8e1de90e02be905482e338df884e2b13284349c9702b6b64c9 1812 libphp-phpmailer_6.6.3-1.dsc 37665afa375ae4fef1a624ece6c1657ff3abb39fb8bb51f3b9b78f7c2548d5a7 102376 libphp-phpmailer_6.6.3.orig.tar.gz ca4bf670eeaac5bd9b678b37557b5176440580084beaa63d915d1930ccaaedc7 4488 libphp-phpmailer_6.6.3-1.debian.tar.xz Files: 35ab73b578a24dfaf9f3ddf02b89bd7a 1812 php optional libphp-phpmailer_6.6.3-1.dsc 2c351295eefc8bc699fddc31db853b2e 102376 php optional libphp-phpmailer_6.6.3.orig.tar.gz 0cde08473c1f765aaac1f9e83832dffa 4488 php optional libphp-phpmailer_6.6.3-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmLiMYMACgkQnFyZ6wW9 dQpy2ggAp1TO1PpQ3PRIqZesfXli+B0I+JcTE4eAA+dUZPs7kveCS37u2qmBL0vb DreNB4HCib+4SvNp/8BsBlMk2ynzNQZmZeCsDeMj6clwb5qO38t/pao03FyEeUAB w3d8lZs5Y+1iiT6EYTmCXOywuIuSwQU0WcPDTulmn2KFJ+NCVw3pNQItCTBcEewO kVdWbEaXBP3ZTcj/923Yc8BldvScZwaHvotqjfJoDObuwIq8f5IP3uvceIAlEh+y 3/FTlpdme49m0kl1qvxSSUjalAHo5aq2Zvdv8H/bAVLccqBKUoLLrRzhapWfbozx SGfBlItl9QK5Gar2T6WyeH2pfEEOBw== =/Uos -----END PGP SIGNATURE-----
--- End Message ---
