Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-PSA-2016-004
- Project: PHPMailer (third-party library)
- Version: 7.x, 8.x
- Date: 2016-December-26
- Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
- Vulnerability: Arbitrary PHP code execution
The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library.
In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins. However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers.
CVE identifier(s) issued
All versions of the external PHPMailer library < 5.2.18.
Drupal core is not affected. If you do not use the contributed PHPMailer third party library, there is nothing you need to do.
Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer
If you are using the SMTP module
The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.
The SMTP module had an update marked as a security update, this was incorrect, the pervious version of smtp was not vulnerable to the phpmailler issue. This update just removed some older code that was not being used.
- Dawid Golunski
Updated on 2016-12-27, to clarify smtp module does not need a security update
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity