oss-sec mailing list archives
CVE request: Mail PEAR module code injection vulnerability
From: Raphael Geissert <geissert () debian org>
Date: Mon, 23 Nov 2009 12:04:18 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, A code injection vulnerability has been found in the sendmail (Mail/sendmail.php) method of the Mail PEAR module. The bug was originally reported at [1] and fixed upstream in 1.2.0b2. Proper sanitation is also missing for $recipients, but it wasn't addressed by the fix applied by upstream. References: [1] http://pear.php.net/bugs/bug.php?id=16200 http://bugs.debian.org/557121 http://secunia.com/advisories/37410/ http://www.debian.org/security/2009/dsa-1938 Could a CVE be assigned? thanks in advance Regards, - -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksKzqYACgkQYy49rUbZzlpOCwCfXRy7+ZgiGHwMSAoGueOMhTgA dnEAn10GpLXSMiNwmY0kXRNUjW7ZGy3F =MZV8 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Mail PEAR module code injection vulnerability Raphael Geissert (Nov 23)