Debian: Subject: [DSA 1315-1] New libphp-phpmailer packages fix arbitrary shell command execution
Summary
- --------------------------------------------------------------------------Debian Security Advisory DSA 1315-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 19th, 2007 http://www.debian.org/security/faq - --------------------------------------------------------------------------Package : libphp-phpmailer Vulnerability : missing input validation Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3215 Thor Larholm discovered that libphp-phpmailer, an email transfer class for PHP, performs insufficient input validition if configured to use Sendmail. This allows the execution of arbitrary shell commands. The oldstable distribution (sarge) doesn't include libphp-phpmailer. For the stable distribution (etch) this problem has been fixed in version 1.73-2etch1. For the unstable distribution (sid) this problem has been fixed in version 1.73-4. We recommend that you upgrade your libphp-phpmailer package. Upgrade Instructions - --------------------wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: Size/MD5 checksum: 657 90c98199f785cc36e195da8c68f59dc4 Size/MD5 checksum: 2478 67871680e53fe86e23987c3d8818dbdb Size/MD5 checksum: 68644 3a6ce5ff38090d6ca4881e31da00f623 Architecture independent components: Size/MD5 checksum: 63716 5ee6556e537c92ad693677e24374184d These files will probably be moved into the stable distribution on its next update. - ---------------------------------------------------------------------------------For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org