Candidate: CVE-2016-10034
PublicDate: 2016-12-30 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10034
 https://framework.zend.com/security/advisory/ZF2016-04
 https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
Description:
 The setFrom function in the Sendmail adapter in the zend-mail component
 before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework
 before 2.4.11 might allow remote attackers to pass extra parameters to the
 mail command and consequently execute arbitrary code via a \" (backslash
 double quote) in a crafted e-mail address.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_libphp-phpmailer:
upstream_libphp-phpmailer: released (5.1)
precise_libphp-phpmailer: not-affected (5.1-1+deb6u11build0.12.04.1)
trusty_libphp-phpmailer: not-affected
trusty/esm_libphp-phpmailer: DNE (trusty was not-affected)
vivid/stable-phone-overlay_libphp-phpmailer: DNE
vivid/ubuntu-core_libphp-phpmailer: DNE
xenial_libphp-phpmailer: not-affected
yakkety_libphp-phpmailer: not-affected
devel_libphp-phpmailer: not-affected