Bug#429191: flyspray phpmailer: not relevant for stable
> A security bug has been discovered in PHPMailer:
> | PHPMailer 1.7, when configured to use sendmail, allows remote
> | attackers to execute arbitrary shell commands via shell metacharacters
> | in the SendmailSend function in class.phpmailer.php
> Your package contains a copy of PHPMailer.
I've fixed this for unstable since replacing the copy of phpmailer with a
dependency was a good move anyway. For stable I've checked whether it's
vulnerable and I believe it's not: the vulnerability is in the SendmailSend()
function. That requires for the calling code to actually use the sendmail
method, which Flyspray does not allow in any configuration.
I suppose the security team does not send advisories for insecure code that is
As an additional note: sarge is not vulnerable because it doesn't contain a
copy of the phpmailer class at all.