[IT-SecNots] [Security-news] PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2839366

  * Advisory ID: DRUPAL-SA-PSA-2016-004
  * Project: PHPMailer [1]     (third-party library)
  * Version: 7.x, 8.x
  * Date: 2016-December-26
  * Security risk: 23/25 ( Highly Critical)
    AC:None/A:User/CI:All/II:All/E:Exploit/TD:All [2]
  * Vulnerability: Arbitrary PHP code execution

-------- DESCRIPTION
---------------------------------------------------------

The PHPMailer and SMTP modules (and maybe others) add support for sending
e-mails using the 3rd party PHPMailer library.

In general the Drupal project does not create advisories for 3rd party
libraries. Drupal site maintainers should pay attention to the notifications
provided by those 3rd party libraries as outlined in PSA-2011-002 - External
libraries and plugins [3]. However, given the extreme criticality of this
issue and the timing of its release we are issuing a Public Service
Announcement to alert potentially affected Drupal site maintainers.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * CVE-2016-10033

-------- VERSIONS AFFECTED
---------------------------------------------------

All versions of the external PHPMailer library < 5.2.18.

Drupal core is not affected. If you do not use the contributed PHPMailer [4]
third party library, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Upgrade to the newest version of the phpmailler library.
https://github.com/PHPMailer/PHPMailer [5]

-------- IF YOU ARE USING THE SMTP MODULE [6]
--------------------------------

The SMTP module has a modified third party PHPMailer library in its codebase.
   The modified version of the library is not affected.

A special thanks to Fabiano Sant'Ana [7], SMTP module [8] maintainer,  for
working on this with short notice.

-------- REPORTED BY
---------------------------------------------------------

  * Dawid Golunski

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and  securing your site [12].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]


[1] https://github.com/PHPMailer/PHPMailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/1189632
[4] https://github.com/PHPMailer/PHPMailer
[5] https://github.com/PHPMailer/PHPMailer
[6] https://www.drupal.org/project/smtp
[7] https://www.drupal.org/u/wundo
[8] https://www.drupal.org/project/smtp
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news