Ubuntu
mahara package

CVE-2007-3215: remote shell command execution in class.phpmailer.php

Bug #293003 reported by François Marier
256
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
mahara (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mahara

Mahara has an embedded copy of phpmailer which is vulnerable to this:

CVE-2007-3215[1]:
> PHPMailer 1.7, when configured to use sendmail, allows remote attackers to
> execute arbitrary shell commands via shell metacharacters in the
> SendmailSend function in class.phpmailer.php.

Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :

(Note that I am both the Debian maintainer and one of the upstream developers of this project)

I have a backport of this fix available in my PPA:

  deb http://ppa.launchpad.net/fmarier/ubuntu intrepid main

(mahara_1.0.4-1ubuntu1~ppa1)

Francois

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Francois, can you submit a debdiff and mark the bug In Progress? Thanks!

Changed in mahara:
status: New → Confirmed
status: Confirmed → Triaged
Revision history for this message
François Marier (fmarier) wrote :

Fixed in 1.0.9-2

Changed in mahara:
status: Triaged → Fix Committed
François Marier (fmarier)
Changed in mahara:
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in debian:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.