Hi, On Wed, Dec 28, 2016 at 11:31:11AM +0100, Salvatore Bonaccorso wrote: > Hi > > On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote: > > On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote: > > > Source: libphp-phpmailer > > > Version: 5.2.9+dfsg-2 > > > Severity: grave > > > Tags: security upstream > > > Justification: user security hole > > > > > > Hi, > > > > > > the following vulnerability was published for libphp-phpmailer. > > > > > > CVE-2016-10033[0]: > > > remote code execution > > > > Further analysis of the fix via > > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc > > has shown that this fix might be incomplete. See > > > > http://www.openwall.com/lists/oss-security/2016/12/28/1 > > > > for further details. > > There was now a followup: > > http://www.openwall.com/lists/oss-security/2016/12/28/4 > > Note, that I have marked CVE-2016-10045 in the security-tracker as > not-affected, since the patch for CVE-2016-10033 introducing the issue > was not applied anywhere yet. So when CVE-2016-10033 is fixed, make > sure that the fix is complete to not make libphp-phpmailer vulnerable > to CVE-2016-10045. > > Not sure though if we should change the way we track both CVEs and > treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is > specific to the bypass of the CVE-2016-10033, so TTBOMK we are > tracking it right this way.
Note there was another followup, which now seem to concludes the fix, details in http://www.openwall.com/lists/oss-security/2016/12/28/6 Regards, Salvatore
