Mahara

Phpmailer security update (v5.2.21)

Series 15.10
Bug #1652995

Bug #1652995 reported by Yuliya Bozhko on 2016-12-28

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Critical	Unassigned	Mahara 17.04.0
15.04	Fix Released	Critical	Unassigned	Mahara 15.04.11
15.10	Fix Released	Critical	Unassigned	Mahara 15.10.7
16.04	Fix Released	Critical	Unassigned	Mahara 16.04.5
16.10	Fix Released	Critical	Unassigned	Mahara 16.10.2

Bug Description

PHPMailer just released fixes for some serious security issues. For more details, see https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

Not sure to what extent Mahara might be affected, but would suggest to upgrade all supported branches.

CVE References

2016-10045

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2016-12-29:

Thanks Yuliya.

Kristina Hoeppner (kris-hoeppner) on 2016-12-29

Changed in mahara:
status:	New → In Progress
importance:	Undecided → High
milestone:	none → 17.04.0

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2016-12-29:

Apparently, there is new vulnerability in PHPmailer. So we are looking into fixing the immediate issue.

Kristina Hoeppner (kris-hoeppner) on 2016-12-29

Changed in mahara:
importance:	High → Critical

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2016-12-29:

5.2.21 should fix the issue. Dan recommended to improve the validation though as well.

summary:

- Phpmailer security update (v5.2.20)
+ Phpmailer security update (v5.2.21)

Revision history for this message

Yuliya Bozhko (yuliya.bozhko) wrote on 2016-12-29:

Version 5.2.21 is just a version mismatch without any functionality change. The real fix is in 5.2.20.

Moodle has a public security issue open for this as well if you would like to check the discussions there https://tracker.moodle.org/browse/MDL-57531.

At Totara, Petr had a look at this PHPMailer release and concluded that it is going to break sending emails with non-standard email addresses if the systems are not configuring custom SMTP servers. Something to be considered as well.

Another thing mentioned was that we should make sure that noreply address is never empty.

Hope it helps.

Kristina Hoeppner (kris-hoeppner) on 2016-12-29

information type:

Private Security → Public Security

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2016-12-29:

All supported versions of Mahara (15.04, 15.10, 16.04 and 16.10 now have PHPMailer 5.2.21. Any further enhancements will be reviewed. Mahara automatically takes the wwwroot as domain for the noreply address.

Robert Lyon (robertl-9) on 2016-12-29

Changed in mahara:
status:	In Progress → Fix Committed

Revision history for this message

Javier J. Salmeron Garcia (jsalmeron) wrote on 2017-01-09:

Hi,

I see that you use Zend_Mail in some parts of the code. Zend Mail is also affeted by the security issue: pwnscriptum.com. Could you confirm if the application is vulnerable?

Revision history for this message

Cecilia Vela Gurovic (ceciliavg) wrote on 2017-01-10:

Hi All,

Zend Mail is not being used in Mahara. We do have Zend library, but the part that references Zend Mail is not being used.

We made a bug report to delete it here:

https://bugs.launchpad.net/mahara/+bug/1655150

Robert Lyon (robertl-9) on 2017-04-27

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.