Debian Security Advisory

DSA-3416-1 libphp-phpmailer -- security update

Date Reported:
13 Dec 2015
Affected Packages:
libphp-phpmailer
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 807265.
In Mitre's CVE dictionary: CVE-2015-8476.
More information:

Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library for email transfer, used by many CMSs. The library accepted email addresses and SMTP commands containing line breaks, which can be abused by an attacker to inject messages.

For the oldstable distribution (wheezy), this problem has been fixed in version 5.1-1.1.

For the stable distribution (jessie), this problem has been fixed in version 5.2.9+dfsg-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 5.2.14+dfsg-1.

We recommend that you upgrade your libphp-phpmailer packages.