Page MenuHomePhabricator

wikimedia/wikimania-scholarships has vulnerable dependencies
Closed, ResolvedPublic

Description

https://integration.wikimedia.org/ci/job/php-composer-security-docker/7/console

Hosted at https://scholarships.wikimedia.org/apply

14:44:56 Security Report
14:44:56 ===============
14:44:56 
14:44:56 The checker detected 1 package(s) that have known* vulnerabilities in
14:44:56 your project. We recommend you to check the related security advisories
14:44:56 and upgrade these dependencies.
14:44:56 
14:44:56 phpmailer/phpmailer (v5.2.9)
14:44:56 ----------------------------
14:44:56 
14:44:56 CVE-2016-10033: Remote Code Execution
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
14:44:56 
14:44:56 CVE-2017-5223: Local File Disclosure
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.22
14:44:56 
14:44:56 CVE-2017-11503: XSS vulnerability in code example
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24
14:44:56 
14:44:56 CVE-2015-8476: Multiple CRLF injection vulnerabilities
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
14:44:56 
14:44:56 CVE-2016-10045: Remote Code Execution
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20
14:44:56 
14:44:56 
14:44:56 * Disclaimer: This checker can only detect vulnerabilities that are referenced
14:44:56               in the security advisories database.
14:44:56               https://github.com/FriendsOfPHP/security-advisories

Related Objects

Event Timeline

Legoktm created this task.Oct 16 2018, 9:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2018, 9:55 PM
Legoktm added a subscriber: bd808.Oct 16 2018, 9:55 PM

I don't know how I can help here. I only used this tool but never had access to its code. I don't understand the error log either. ;-)

I don't know how I can help here. I only used this tool but never had access to its code. I don't understand the error log either. ;-)

Thats ok. I just subscribed everyone on phab who was listed as a member of the "project" as security tasks are restricted but i wanted to make sure anyone potentially involved could see it.

KTC added a comment.Nov 9 2018, 12:31 PM

I think someone need to update the package under \wikimania-scholarships\vendor\phpmailer\phpmailer and make sure nothing are broken by it?

bd808 added a comment.Nov 9 2018, 10:03 PM

I will poke at this in my "volunteer" time over the long weekend.

Thanks @bd808. @Bawolff do you want to run another report to make sure this is fixed?

@Niharika - just ran the wikimedia-apps-php-security job against scholarships and slimapp in jenkins. First time I've ever done that, but it looks like they came back clean:

https://integration.wikimedia.org/ci/job/wikimedia-apps-php-security/46/console

(as opposed to iegreview, which still fails with CVEs reported)

Niharika closed this task as Resolved.Nov 30 2018, 8:23 PM

Thanks @sbassett! Closing this task. I accepted the iegreview one (D1128) but I believe it still needs to be landed by bd808.

bd808 reopened this task as Open.Nov 30 2018, 9:27 PM

Reopening because these fixes are in git, but not deployed yet.

bd808 closed this task as Resolved.Feb 19 2019, 1:46 AM

Updates have been deployed into production

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 19 2019, 3:19 AM