Date: Mon, 23 Nov 2009 12:04:18 -0600 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE request: Mail PEAR module code injection vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, A code injection vulnerability has been found in the sendmail (Mail/sendmail.php) method of the Mail PEAR module. The bug was originally reported at  and fixed upstream in 1.2.0b2. Proper sanitation is also missing for $recipients, but it wasn't addressed by the fix applied by upstream. References:  http://pear.php.net/bugs/bug.php?id=16200 http://bugs.debian.org/557121 http://secunia.com/advisories/37410/ http://www.debian.org/security/2009/dsa-1938 Could a CVE be assigned? thanks in advance Regards, - -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksKzqYACgkQYy49rUbZzlpOCwCfXRy7+ZgiGHwMSAoGueOMhTgA dnEAn10GpLXSMiNwmY0kXRNUjW7ZGy3F =MZV8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.