Hi On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote: > On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote: > > Source: libphp-phpmailer > > Version: 5.2.9+dfsg-2 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > > > Hi, > > > > the following vulnerability was published for libphp-phpmailer. > > > > CVE-2016-10033[0]: > > remote code execution > > Further analysis of the fix via > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc > has shown that this fix might be incomplete. See > > http://www.openwall.com/lists/oss-security/2016/12/28/1 > > for further details.
There was now a followup: http://www.openwall.com/lists/oss-security/2016/12/28/4 Note, that I have marked CVE-2016-10045 in the security-tracker as not-affected, since the patch for CVE-2016-10033 introducing the issue was not applied anywhere yet. So when CVE-2016-10033 is fixed, make sure that the fix is complete to not make libphp-phpmailer vulnerable to CVE-2016-10045. Not sure though if we should change the way we track both CVEs and treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is specific to the bypass of the CVE-2016-10033, so TTBOMK we are tracking it right this way. Regards, Salvatore