Le dimanche 09 novembre 2008 à 08:59 +1100, Dave Hall a écrit : > Hi Thijs, > > On Sat, 2008-11-08 at 21:52 +0100, Thijs Kinkhorst wrote: > > On Sunday 2 November 2008 13:34, Steffen Joeris wrote: > > > > +phpgroupware (0.9.16.011-2.3) stable-security; urgency=high > > > > + > > > > + * Non-maintainer upload. > > > > + * Fix remote shell command execution in class.phpmailer.php : > > > > + CVE-2007-3215 (Closes: #504255). > > > > > > Can someone from the security team take care of review and the upload ? > > > > > > The patch looks good. I'll sponsor the upload. Thanks for your work. > > > > I am not sure on how this would be exploited. The code execution only > > happens > > when choosing the 'sendmail' method of PhpMailer, which is not the default. > > I > > cannot find a way to configure phpgroupware to use the 'sendmail' method. > > > > Can someone enlighten me? > > After a quick code check this was my conclusion as well. >
May I suggest that you complement https://savannah.gnu.org/bugs/?24725 also, then ? Best regards, -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]