Phpmailer security update (v5.2.21)

Bug #1652995 reported by Yuliya Bozhko on 2016-12-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Unassigned
15.04
Critical
Unassigned
15.10
Critical
Unassigned
16.04
Critical
Unassigned
16.10
Critical
Unassigned

Bug Description

PHPMailer just released fixes for some serious security issues. For more details, see https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

Not sure to what extent Mahara might be affected, but would suggest to upgrade all supported branches.

CVE References

Thanks Yuliya.

Changed in mahara:
status: New → In Progress
importance: Undecided → High
milestone: none → 17.04.0

Apparently, there is new vulnerability in PHPmailer. So we are looking into fixing the immediate issue.

Changed in mahara:
importance: High → Critical

5.2.21 should fix the issue. Dan recommended to improve the validation though as well.

summary: - Phpmailer security update (v5.2.20)
+ Phpmailer security update (v5.2.21)
Yuliya Bozhko (yuliya.bozhko) wrote :

Version 5.2.21 is just a version mismatch without any functionality change. The real fix is in 5.2.20.

Moodle has a public security issue open for this as well if you would like to check the discussions there https://tracker.moodle.org/browse/MDL-57531.

At Totara, Petr had a look at this PHPMailer release and concluded that it is going to break sending emails with non-standard email addresses if the systems are not configuring custom SMTP servers. Something to be considered as well.

Another thing mentioned was that we should make sure that noreply address is never empty.

Hope it helps.

information type: Private Security → Public Security

All supported versions of Mahara (15.04, 15.10, 16.04 and 16.10 now have PHPMailer 5.2.21. Any further enhancements will be reviewed. Mahara automatically takes the wwwroot as domain for the noreply address.

Robert Lyon (robertl-9) on 2016-12-29
Changed in mahara:
status: In Progress → Fix Committed

Hi,

I see that you use Zend_Mail in some parts of the code. Zend Mail is also affeted by the security issue: pwnscriptum.com. Could you confirm if the application is vulnerable?

Hi All,

Zend Mail is not being used in Mahara. We do have Zend library, but the part that references Zend Mail is not being used.

We made a bug report to delete it here:

https://bugs.launchpad.net/mahara/+bug/1655150

Robert Lyon (robertl-9) on 2017-04-27
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers