Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#37210 closed task (blessed) (fixed)

Update PHPMailer to 5.2.21

Reported by: mattyrob's profile MattyRob Owned by: dd32's profile dd32
Milestone: 4.7.1 Priority: normal
Severity: critical Version:
Component: External Libraries Keywords: has-patch needs-testing
Focuses: Cc:

Description

About 3 weeks about a new version of PHPMailer was released in the 5.x.x branch and efforts continue in the 6.x.x branch.

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.16

We should investigate whether we can / should update to the 6.x.x branch (which seems to need PHP 5.5) when released or simply update in the current 5.x.x branch

Attachments (9)

37210.diff (22.1 KB) - added by MattyRob 8 years ago.
39397.patch (42.3 KB) - added by sebastian.pisula 8 years ago.
5.2.19
37210v2.diff (34.9 KB) - added by MattyRob 8 years ago.
class.phpmailer_5.2.14.diff (4.1 KB) - added by sfpt 8 years ago.
Diff between upstream and wordpress for class-phpmailer
class.smtp_5.2.14.diff (3.3 KB) - added by sfpt 8 years ago.
Diff between upstream and wordpress for class-smtp
0001-Upgrade-PHPMailer-from-5.2.14-to-5.2.19.patch (31.6 KB) - added by sfpt 8 years ago.
37210v3.diff (36.1 KB) - added by MattyRob 8 years ago.
37210v4.diff (36.1 KB) - added by MattyRob 8 years ago.
37210.2.diff (36.9 KB) - added by dd32 8 years ago.

Download all attachments as: .zip

Change History (53)

@MattyRob
8 years ago

#1 @MattyRob
8 years ago

  • Keywords has-patch needs-testing added

#2 @ocean90
8 years ago

#39395 was marked as a duplicate.

#3 @ocean90
8 years ago

  • Keywords needs-refresh added
  • Summary changed from Update PHPMailer to 5.2.16 to Update PHPMailer to 5.2.19

#4 @swissspidy
8 years ago

#39397 was marked as a duplicate.

@sebastian.pisula
8 years ago

5.2.19

#5 @sebastian.pisula
8 years ago

  • Keywords needs-refresh removed

#6 @sebastian.pisula
8 years ago

Added patch to 5.2.19. Patch build on WP 4.8-alpha-39637

#7 follow-up: @MattyRob
8 years ago

I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.

Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.

@MattyRob
8 years ago

#8 @MattyRob
8 years ago

37210v2 patch is passing PHPUnit tests and also basic emails in live WordPress usage.

#9 @archon810
8 years ago

Any ETA on the push timing of this hotfix? Thanks.

#10 @frettled
8 years ago

Shouldn't this issue be a bug and severity major/critical?

#11 in reply to: ↑ 7 @sfpt
8 years ago

Replying to MattyRob:

I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.

Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.

XOAUTH2 is also not included. I'm going to attach a diff between upstream and wordpress and the patch I created.

@sfpt
8 years ago

Diff between upstream and wordpress for class-phpmailer

@sfpt
8 years ago

Diff between upstream and wordpress for class-smtp

#12 @theapotek
8 years ago

  • Severity changed from normal to critical

I think we should bump this up. PHPMailer < 5.2.18 has a critical security hole that will be publicized shortly.

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

If we take latest 5.2.x, we minimize backwards compatibility issues and could help protect an enormous installed user base. https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.19

Last edited 8 years ago by theapotek (previous) (diff)

#13 @theatp
8 years ago

Still: PHPMailer < 5.2.20 is also vulnerable http://seclists.org/bugtraq/2016/Dec/54- Also this affects not only WordPress 4.6 but latest version as well.

#14 @dd32
8 years ago

  • Milestone changed from Awaiting Review to 4.7.1
  • Type changed from enhancement to task (blessed)
  • Version 4.6 deleted

The WordPress Security team is aware of the PHPMailer issues. We've been in contact with the author and security researchers and discussing the fixes.

Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.

The upcoming 4.7.1 release will contain mitigation for these issues, we're committed to only shipping secure libraries with WordPress - regardless of whether we use the feature or not.
We don't have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.

@sebastian.pisula, @MattyRob, @sfpt - Thank you for the patches, and catching the hacks we've made and including them.

edit: Yes, we're also aware of the follow up report(s) to the original issue, and are actively working with all involved. We're going to commit/release something secure, when it's available, rather than rushing it.

Last edited 8 years ago by dd32 (previous) (diff)

#15 @fierevere
8 years ago

please before committing, pay attention to new CVE, 5.2.19 issued patch wasnt enough to close problem

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

https://github.com/PHPMailer/PHPMailer
fix has been issued in trunk, no version bump yet

#16 @MattyRob
8 years ago

  • Summary changed from Update PHPMailer to 5.2.19 to Update PHPMailer to 5.2.20

Further bug fix released in the last few hours, now at 5.2.20

@MattyRob
8 years ago

#17 @MattyRob
8 years ago

Above patch is updated against currently bundled version with WordPress modifications maintained. Passes PHPUnit tests for mail.

#18 follow-up: @Presskopp
8 years ago

FYI:

Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes

#19 in reply to: ↑ 18 @lukecavanagh
8 years ago

Replying to Presskopp:

FYI:

Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes

Just noticed the updated release as well.

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.21

#20 @MattyRob
8 years ago

  • Summary changed from Update PHPMailer to 5.2.20 to Update PHPMailer to 5.2.21

It seems just the 'VERSION' file was affected and left at 5.2.19.

Version numbers updated and new patch to follow.

@MattyRob
8 years ago

@dd32
8 years ago

#21 @dd32
8 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 39645:

Upgrade PHPMailer from 5.2.14 to 5.2.21.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.14...v5.2.21

Props sebastian.pisula, MattyRob, sfpt, dd32.
Fixes #37210 for trunk.

#22 @dd32
8 years ago

In 39646:

Upgrade PHPMailer from 5.2.14 to 5.2.21.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.14...v5.2.21

Props sebastian.pisula, MattyRob, sfpt, dd32, peterwilsoncc, voldemortensen.
Merges [39645] to the 4.7 branch.
Fixes #37210 for trunk.

#23 @dd32
8 years ago

In 39722:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.6 branch.
See #37210.

#24 @dd32
8 years ago

In 39723:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.5 branch.
See #37210.

#25 @dd32
8 years ago

In 39724:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.4 branch.
See #37210.

#26 @dd32
8 years ago

In 39725:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083] to the 4.3 branch.
See #37210.

#27 @dd32
8 years ago

In 39726:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124] to the 4.2 branch.
See #37210.

#28 @dd32
8 years ago

In 39727:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124] to the 4.1 branch.
See #37210.

#29 @dd32
8 years ago

In 39728:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783] to the 4.0 branch.
See #37210.

#30 @dd32
8 years ago

In 39729:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783] to the 3.9 branch.
See #37210.

#31 @dd32
8 years ago

In 39730:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783], [27385] to the 3.8 branch.
See #37210.

#32 @dd32
8 years ago

In 39731:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783], [27385] to the 3.7 branch.
See #37210.

#33 @dd32
8 years ago

In 39759:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Fixes #37210 for trunk.

#34 @dd32
8 years ago

In 39783:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.7 branch.
Fixes #37210 for 4.7.

#35 @dd32
8 years ago

In 39785:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.6 branch.
Fixes #37210 for 4.6.

#36 @dd32
8 years ago

In 39786:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.5 branch.
Fixes #37210 for 4.5.

#37 @dd32
8 years ago

In 39787:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.4 branch.
Fixes #37210 for 4.4.

#38 @dd32
8 years ago

In 39788:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.3 branch.
Fixes #37210 for 4.3.

#39 @dd32
8 years ago

In 39789:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.2 branch.
Fixes #37210 for 4.2.

#40 @dd32
8 years ago

In 39790:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.1 branch.
Fixes #37210 for 4.1.

#41 @dd32
8 years ago

In 39791:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.0 branch.
Fixes #37210 for 4.0.

#42 @dd32
8 years ago

In 39792:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.9 branch.
Fixes #37210 for 3.9.

#43 @dd32
8 years ago

In 39793:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.8 branch.
Fixes #37210 for 3.8.

#44 @dd32
8 years ago

In 39794:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.7 branch.
Fixes #37210 for 3.7.

Note: See TracTickets for help on using tickets.