Announcement

#1 2021-05-17 22:58:27

jclifford
Member
2019-01-06
36

Error in new update?

After installing Piwigo 11.5.0 I received the message below from my hosting company:
-----------------------------------------------------------------------------------------------------------
Hello,

As part of our commitment to providing you with a secure hosting environment, we performed an automated scan of your domain(s) johnclifford.me.uk hosted on nl1-ss16.a2hosting.com

It appears patches are available for application(s) installed in the following path(s):

Code injection vulnerability in PHPMailer
/home/johnclif/public_html/piwigo/include/phpmailer/class.phpmailer.php

If you are working with a development partner, please forward this email on to them as they will be able to take care of the update for you. Otherwise, we will automatically apply the above patches within seven days.

Click here to learn more about our perpetual security scans: https://www.a2hosting.com/kb/cpanel/adv … s/patchman

Best regards,

The A2 Hosting Support Team
-------------------------------------------------------------------------------------------

Copy here your environment details, found on your Piwigo page [Administration > Tools > Maintenance]

Operating system: Linux
PHP: 7.2.34 (Show info) [2021-05-17 16:54:21]
MySQL: 10.3.22-MariaDB-cll-lve [2021-05-17 22:54:21]
Graphics Library: ImageMagick 7.0.10-10

Piwigo URL: https://www.johnclifford.me.uk/piwigo/

Offline

 

#2 2021-05-18 10:40:48

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

Hi jclifford,

Does your hosting provider give you more details about the security issue with PHPMailer?

Piwigo 11.5.0 uses PHPMailer 5.2.21, which is quite old, but still compatible with old versions of PHP, as Piwigo is. For Piwigo 12 we will increase the minimum required PHP version and we will be able to install a much newer version of PHPMailer.

For now, we can update to PHPMailer 5.2.28 which includes 2 security fixes, but I don't know if that's the problem triggered by your hosting provider.

Offline

 

#3 2021-05-18 11:46:48

downtrip
Member
2021-05-18
5

Re: Error in new update?

Hi,

Today I just got the same message from A2Hosting as jclifford. My Piwigo details are


    Piwigo 11.5.0 Check for upgrade
    Operating system: Linux
    PHP: 7.4.16 (Show info) [2021-05-18 05:43:20]
    MySQL: 5.5.5-10.3.23-MariaDB-cll-lve [2021-05-18 11:43:20]
    Graphics Library: ImageMagick 7.0.10-10

No details from A2Hosting about which CVE they are referring to. I'll open a support ticket and try and get further details. I was using PHP 7.3 and upgraded it it to the latest available 7.4 this morning. 8.0 doesn't work

Offline

 

#4 2021-05-18 11:49:47

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

Thank you for this first feedback.

I know the latest version on branch 5.2 (ie 5.2.28) was released to avoid warning/error message with PHP 7.4, see [Github] PHPMailer commit db4d3d0c so maybe it's the problem.

Offline

 

#5 2021-05-18 12:00:09

downtrip
Member
2021-05-18
5

Re: Error in new update?

I've opened a ticket with A2Hosting & will get back to you with any further details

Offline

 

#6 2021-05-18 12:05:49

downtrip
Member
2021-05-18
5

Re: Error in new update?

Just got this back:

I would like to let you know that there should be no issues with the mentioned PHPMailer as Patchman should apply an automatic update for it in one week. In case you want the patch to be applied manually, instead of automatic update, it can be done in one click with the help of the following manual:<br />
<br />
https://www.a2hosting.com/kb/cpanel/adv … ount<br />
<br />
In case you have any questions unanswered, please let us know.<br />

Not sure if that is any help to you though. Hopefully it won't break Piwigo?

Offline

 

#7 2021-05-18 12:14:51

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

If they update PHPMailer to a version 6.x, it will break Piwigo, for sure. If they update to 5.2.28 there should be no problem (didn't full test for now)

Offline

 

#8 2021-05-18 12:31:58

downtrip
Member
2021-05-18
5

Re: Error in new update?

I just patched PHPMailer it using 'Patchman' from the Control Panel and the site still works. Can you tell me how to find the details for PHPMailer so I can let you know which version

EDIT: A2Hosting pointed me to this CVE https://github.com/advisories/GHSA-4pc3-96mx-wwc8

Last edited by downtrip (2021-05-18 12:59:38)

Offline

 

#9 2021-05-18 14:38:12

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

That's weird. The link you posted is about CVE-2016-10045 but this security issue was fixed in PHPMailer 5.2.20 et Piwigo 11.5.0 is on PHPMailer 5.2.21.

Can you tell me how to find the details for PHPMailer so I can let you know which version

open file include/phpmailer/class.phpmailer.php and find line:

Code:

34     public $Version = '5.2.21';

I'm going to try PHPMailer 5.2.28

Offline

 

#10 2021-05-18 14:45:14

downtrip
Member
2021-05-18
5

Re: Error in new update?

It is at that version (5.2.21)

Offline

 

#11 2021-05-18 14:57:50

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

My test with PHPMailer 5.2.28 shows no problem (with PHP 7.4)

Offline

 

#12 2021-05-18 15:10:30

Zentalquabula
Member
2014-05-10
217

Re: Error in new update?

Piwigo could always choose to be compatible with CURRENT software, that is PHP 8 etc, in order to avoid security problems with legacy-ware…

plg wrote:

If they update PHPMailer to a version 6.x, it will break Piwigo, for sure. If they update to 5.2.28 there should be no problem (didn't full test for now)

Offline

 

#13 2021-05-18 15:23:38

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Error in new update?

Zentalquabula wrote:

Piwigo could always choose to be compatible with CURRENT software, that is PHP 8 etc, in order to avoid security problems with legacy-ware…

You don't realize how *impossible* it is I think :-)

Being compatible with PHP 8 is one thing. Forcing all Piwigo users to update their PHP to latest version 8 is an absolutely impossible mission. So if we don't care about our users, then it would be the way to go. But... we do care :-) We want Piwigo to be "installable", so we have to make compromises.

The current compromise, being compatible with PHP 5.3, is becoming really problematic. I agree. That's why we have implemented a "check for required PHP version before upgrade" in Piwigo 11. This way we will be able to easily increase the required version from PHP 5.3 to... 7.0 or maybe 7.2 in Piwigo 12 (certainly not PHP 8, way too soon for that).

https://piwigo.org/screenshots/piwigo-11-update-check-requirements.png

Offline

 

#14 2021-05-19 11:12:37

jclifford
Member
2019-01-06
36

Re: Error in new update?

Updating to PHPMailer 5.2.28 seems the way to go, but how do I do that?

Offline

 

#15 2021-05-19 15:02:28

erAck
Only trying to help
2015-09-06
1998

Re: Error in new update?

Just wait until it gets updated with a (the next?) Piwigo update.


Running Piwigo at https://erack.net/gallery/

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact