Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603754 - <www-apps/wordpress-4.7.1: Remote code execution through embedded dev-php/PHPMailer (CVE-2016-10033)
Summary: <www-apps/wordpress-4.7.1: Remote code execution through embedded dev-php/PHP...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://core.trac.wordpress.org/ticke...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks: 603752
  Show dependency tree
 
Reported: 2016-12-26 13:18 UTC by Thomas Deutschmann
Modified: 2017-01-11 20:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2016-12-26 13:18:54 UTC
It is suspected that this package is vulnerable to a security vulnerability via embedded dev-php/PHPMailer. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 603752.
Comment 1 Anthony Basile gentoo-dev 2017-01-04 00:45:14 UTC
I've bumped wordpress to the latest version 4.7 which is not vulnerable.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-04 00:50:40 UTC
No, vanilla WordPress v4.7 is vulnerable. It ships the vulnerable PHPMailer class (just renamed). Upstream already merged the patched version, see $URL, but changes not released yet.
Comment 3 Anthony Basile gentoo-dev 2017-01-04 06:31:09 UTC
(In reply to Thomas Deutschmann from comment #2)
> No, vanilla WordPress v4.7 is vulnerable. It ships the vulnerable PHPMailer
> class (just renamed). Upstream already merged the patched version, see $URL,
> but changes not released yet.

Thanks for the clarification.
Comment 4 Sebastian Pipping gentoo-dev 2017-01-11 20:19:20 UTC
Bump to 4.7.1 with a fix.


commit 67671baada119a8d4b6491afd9bfffe8c397f0c2
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Jan 11 21:18:00 2017 +0100

    www-apps/wordpress: 4.7.1 (bug #603754)
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 www-apps/wordpress/Manifest               |  1 +
 www-apps/wordpress/wordpress-4.7.1.ebuild | 56 +++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)

https://github.com/gentoo/gentoo/commit/67671baada119a8d4b6491afd9bfffe8c397f0c2
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-01-11 20:35:58 UTC
@ Maintainer(s): Thank you for the bump. Cleanup will happen as part of bug 605408.