Package: phpgroupware-felamimail Severity: grave Version: 0.9.16.011-2.2 Tags: security patch
Hi, The following CVE (Common Vulnerabilities & Exposures) id was published for PHPMailer, which affects the embedded copy shipped in phpgroupware-felamimail[0]. CVE-2007-3215[1]: > PHPMailer 1.7, when configured to use sendmail, allows remote attackers to > execute arbitrary shell commands via shell metacharacters in the > SendmailSend function in class.phpmailer.php. The patch for class.phpmailer.php can be found at [2]. However, it would be better if phpgroupware-felamimail just depended on libphp-phpmailer (also available in etch) and the include/require calls changed to use the copy provided by that package, to avoid shipping yet another embedded code copy. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0] usr/share/phpgroupware/felamimail/inc/class.phpmailer.inc.php [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 http://security-tracker.debian.net/tracker/CVE-2007-3215 [2]http://sourceforge.net/tracker/index.php?func=detail&aid=1734811&group_id=26031&atid=385707 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
