Fedora 11 PH-PEAR Mail Update: Fix Header Escaping Attack Risk
fedora
December 1, 2009
Fix CVE-2009-4023, CVE-2009-4111 PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend
Summary
PEAR's Mail package defines an interface for implementing mailers under the
PEAR hierarchy. It also provides supporting functions useful to multiple
mailer backends. Currently supported backends include: PHP's native
mail() function, sendmail, and SMTP. This package also provides a RFC822
email address list validation utility class.
Update Information:
Fix CVE-2009-4023, CVE-2009-4111 PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class.
Change Log
* Fri Nov 27 2009 Remi Collet
References
[ 1 ] Bug #540842 - CVE-2009-4023 php-pear-Mail: Absent sanitization of mail header fields https://bugzilla.redhat.com/show_bug.cgi?id=540842
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update php-pear-Mail' at the command line. For more information, refer to "Managing Software with yum", available at .
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Name: php-pear-Mail
Product: Fedora 11
Version: 1.1.14
Release: 5.fc11
Summary: Class that provides multiple interfaces for sending emails
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!