Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swiftmailer Security issue CVE-2016-10074 #11147

Closed
javsalgar opened this issue Jan 5, 2017 · 5 comments
Closed

Swiftmailer Security issue CVE-2016-10074 #11147

javsalgar opened this issue Jan 5, 2017 · 5 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@javsalgar
Copy link

On 25.12.2016 a security issue (CVE-2016-10074) was found in the Swiftmailer component for versions lower than 5.4.5. You use the monolog component (in composer.json) which uses Swiftmailer. Could you confirm if that affects the security of the application?

More info: http://pwnscriptum.com/
@tuxmaster
Copy link

Zend Mail is also affected.
See: https://framework.zend.com/security/advisory/ZF2016-04

@sgiehl
Copy link
Member

sgiehl commented Jan 7, 2017
edited

Zend Mail is imho only affected in version 2.X. Piwik still uses ZF 1.11, where that shouldn't be possible.

@mattab mattab closed this as completed Jan 8, 2017
@mattab mattab added answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Jan 8, 2017
@javsalgar
Copy link
Author

I wrote to Zend, and they responded me this:

Zend Framework 1 reached its End-of-Life on 28 September 2016, and no longer receives security (or any other) updates. As such, we do not and cannot comment on whether or not it is vulnerable to ZF2016-04.

@sgiehl
Copy link
Member

sgiehl commented Jan 9, 2017

I've checked the code and it is not affected by this security issue as quotes are automatially been removed.
And I'm aware the ZF 1 reached it's EOL. We need to consider using the new components of ZF 2

@tsteur
Copy link
Member

tsteur commented Jan 9, 2017

Or PHP Mailer for the Mail component :) #8613 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tsteur @mattab @javsalgar @sgiehl @tuxmaster