Debian-LTS alert DLA-792-1 (libphp-swiftmailer)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 792-1] libphp-swiftmailer security update | |
| Date: | Thu, 19 Jan 2017 19:51:46 +0100 | |
| Message-ID: | <48be547c-79fc-0070-f295-116edf94db54@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libphp-swiftmailer Version : 4.1.5-1+deb7u1 CVE ID : CVE-2016-10074 Debian Bug : 849626 Dawid Golunski from legalhackers-com [1] discovered that the mail transport in Swift Mailer allowed remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the From, ReturnPath, or Sender header. [1] https://legalhackers.com/advisories/SwiftMailer-Exploit-R... For Debian 7 "Wheezy", these problems have been fixed in version 4.1.5-1+deb7u1. We recommend that you upgrade your libphp-swiftmailer packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAliBCsJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQ6iA//TrRHL7SkfY9gJUbqXLfvGlbovKcbqSi0jA7b2pVlWWkWrW5YJET4i2iw /vmmT4tE4CEoAhtgFGjj/mK75CisvEVIlNZLr11JAAR0guicv3NfWHXFOoj+CwIO QUg5/iadRibxcs9pj+xEe5dEMjIPQZG6nfSnKDXoutLAPicDLfMyuwHN9M7QDK2c eczvNWgZfQXEokOGRU0KiNHPRAFoDdpB4tMXL9KFcN48x+6dltAu2oyzd7mqJ5Qs azvckPxwsWPwz5UN6AC+szQkeefuzp5L7BQ6DsOZaSjyWYPeg4xN/KVXXjb4Hn0i ok7Gi9XmQi/UHIRj9ATPluhz6uMvEobwDq+sjhzfAl6p2IkteDjZ8o7NvAHqu4tR 9anltB2bQ4nTmOGGu4qjH8PZif/zHieZmC+3qMmKn/mI7QF1Y9EhslINQEX9xlKW c9KMh4Vlpgc+6kZGoa6RoTCF9TuQp8laQhdlbtL7gbYDVPd04StEXLqEd8B3pzGg wN75Uwa5q/ij9oAjJKdubxRlZe7gH/gDA9exhE0JCMPHdyQ+hvU//pIGhrBm9biH /kkea4THTaG4ts1MRzmzZUbLdRz5uh+Nr/jaqaK2+z6tJM8fihjcxwfGCxQq858p NfSfnrevkjeNgg2TDwQAiId7jNlmBl+Sgr256SthNtKLY6NkXW4= =lQDY -----END PGP SIGNATURE-----