Mageia alert MGASA-2015-0484 (php-phpmailer)


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2015-0484: Updated php-phpmailer packages fix CVE-2015-8476 
Date:
    	       Thu, 24 Dec 2015 12:08:53 +0100
Message-ID:
    	       <20151224110853.C113D20B427@valstar.mageia.org>
MGASA-2015-0484 - Updated php-phpmailer packages fix CVE-2015-8476

Publication date: 24 Dec 2015
URL: http://advisories.mageia.org/MGASA-2015-0484.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2015-8476

Description:
Updated php-phpmailer package fixes security vulnerability:

Takeshi Terada discovered that PHPMailer accepted addresses containing line
breaks. This is valid in RFC5322, but allowing such addresses resulted in
invalid RFC5321 SMTP commands, permitting a kind of message injection attack
(CVE-2015-8476).

References:
- https://bugs.mageia.org/show_bug.cgi?id=17319
- https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
- http://lwn.net/Alerts/667302/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8476

SRPMS:
- 5/core/php-phpmailer-5.2.14-1.mga5

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2015-0484: Updated php-phpmailer packages fix CVE-2015-8476
Date:		Thu, 24 Dec 2015 12:08:53 +0100
Message-ID:		<20151224110853.C113D20B427@valstar.mageia.org>