CVE-2020-13625 (https://nvd.nist.gov/vuln/detail/CVE-2020-13625): PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b30bb859bc507d6baef0d93e1a739c1664ce26a4 commit b30bb859bc507d6baef0d93e1a739c1664ce26a4 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-06-10 13:36:09 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-06-10 13:45:39 +0000 dev-php/PHPMailer: remove old "unused" versions. This leaves PHPMailer-5.2.28, which was released on 2020-03-09 and is the latest release from the 5.x series. No one has said whether or not CVE-2020-13625 affects v5.2.28 as well, but the description "insufficient output escaping" sounds scarier than it is. This bug isn't known to be exploitable; a priori it just gives the attachment the wrong name. Bug: https://bugs.gentoo.org/727584 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/PHPMailer/Manifest | 6 --- dev-php/PHPMailer/PHPMailer-5.2.27.ebuild | 64 --------------------------- dev-php/PHPMailer/PHPMailer-6.0.7.ebuild | 73 ------------------------------- dev-php/PHPMailer/PHPMailer-6.1.2.ebuild | 73 ------------------------------- dev-php/PHPMailer/PHPMailer-6.1.3.ebuild | 73 ------------------------------- dev-php/PHPMailer/PHPMailer-6.1.4.ebuild | 73 ------------------------------- dev-php/PHPMailer/PHPMailer-6.1.5.ebuild | 73 ------------------------------- 7 files changed, 435 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02e9960b449b8af4440ffa2bb40030962d9dc5a1 commit 02e9960b449b8af4440ffa2bb40030962d9dc5a1 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-06-10 13:30:43 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-06-10 13:45:39 +0000 dev-php/PHPMailer: new version 6.1.6 to fix CVE-2020-13625. Bug: https://bugs.gentoo.org/727584 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/PHPMailer/Manifest | 1 + dev-php/PHPMailer/PHPMailer-6.1.6.ebuild | 73 ++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+)
All done. Thanks!