WordPress.org

Make WordPress Core

Opened 11 months ago

Closed 5 months ago

Last modified 4 months ago

#37210 closed task (blessed) (fixed)

Update PHPMailer to 5.2.21

Reported by: MattyRob Owned by: dd32
Milestone: 4.7.1 Priority: normal
Severity: critical Version:
Component: External Libraries Keywords: has-patch needs-testing
Focuses: Cc:

Description

About 3 weeks about a new version of PHPMailer was released in the 5.x.x branch and efforts continue in the 6.x.x branch.

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.16

We should investigate whether we can / should update to the 6.x.x branch (which seems to need PHP 5.5) when released or simply update in the current 5.x.x branch

Attachments (9)

37210.diff (22.1 KB) - added by MattyRob 11 months ago.
39397.patch (42.3 KB) - added by sebastian.pisula 5 months ago.
5.2.19
37210v2.diff (34.9 KB) - added by MattyRob 5 months ago.
class.phpmailer_5.2.14.diff (4.1 KB) - added by sfpt 5 months ago.
Diff between upstream and wordpress for class-phpmailer
class.smtp_5.2.14.diff (3.3 KB) - added by sfpt 5 months ago.
Diff between upstream and wordpress for class-smtp
0001-Upgrade-PHPMailer-from-5.2.14-to-5.2.19.patch (31.6 KB) - added by sfpt 5 months ago.
37210v3.diff (36.1 KB) - added by MattyRob 5 months ago.
37210v4.diff (36.1 KB) - added by MattyRob 5 months ago.
37210.2.diff (36.9 KB) - added by dd32 5 months ago.

Download all attachments as: .zip

Change History (53)

@MattyRob
11 months ago

#1 @MattyRob
11 months ago

  • Keywords has-patch needs-testing added

#2 @ocean90
5 months ago

#39395 was marked as a duplicate.

#3 @ocean90
5 months ago

  • Keywords needs-refresh added
  • Summary changed from Update PHPMailer to 5.2.16 to Update PHPMailer to 5.2.19

#4 @swissspidy
5 months ago

#39397 was marked as a duplicate.

@sebastian.pisula
5 months ago

5.2.19

#5 @sebastian.pisula
5 months ago

  • Keywords needs-refresh removed

#6 @sebastian.pisula
5 months ago

Added patch to 5.2.19. Patch build on WP 4.8-alpha-39637

#7 follow-up: @MattyRob
5 months ago

I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.

Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.

@MattyRob
5 months ago

#8 @MattyRob
5 months ago

37210v2 patch is passing PHPUnit tests and also basic emails in live WordPress usage.

#9 @archon810
5 months ago

Any ETA on the push timing of this hotfix? Thanks.

#10 @frettled
5 months ago

Shouldn't this issue be a bug and severity major/critical?

#11 in reply to: ↑ 7 @sfpt
5 months ago

Replying to MattyRob:

I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.

Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.

XOAUTH2 is also not included. I'm going to attach a diff between upstream and wordpress and the patch I created.

@sfpt
5 months ago

Diff between upstream and wordpress for class-phpmailer

@sfpt
5 months ago

Diff between upstream and wordpress for class-smtp

#12 @theapotek
5 months ago

  • Severity changed from normal to critical

I think we should bump this up. PHPMailer < 5.2.18 has a critical security hole that will be publicized shortly.

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

If we take latest 5.2.x, we minimize backwards compatibility issues and could help protect an enormous installed user base. https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.19

Last edited 5 months ago by theapotek (previous) (diff)

#13 @theatp
5 months ago

Still: PHPMailer < 5.2.20 is also vulnerable http://seclists.org/bugtraq/2016/Dec/54- Also this affects not only WordPress 4.6 but latest version as well.

#14 @dd32
5 months ago

  • Milestone changed from Awaiting Review to 4.7.1
  • Type changed from enhancement to task (blessed)
  • Version 4.6 deleted

The WordPress Security team is aware of the PHPMailer issues. We've been in contact with the author and security researchers and discussing the fixes.

Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.

The upcoming 4.7.1 release will contain mitigation for these issues, we're committed to only shipping secure libraries with WordPress - regardless of whether we use the feature or not.
We don't have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.

@sebastian.pisula, @MattyRob, @sfpt - Thank you for the patches, and catching the hacks we've made and including them.

edit: Yes, we're also aware of the follow up report(s) to the original issue, and are actively working with all involved. We're going to commit/release something secure, when it's available, rather than rushing it.

Last edited 5 months ago by dd32 (previous) (diff)

#15 @fierevere
5 months ago

please before committing, pay attention to new CVE, 5.2.19 issued patch wasnt enough to close problem

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

https://github.com/PHPMailer/PHPMailer
fix has been issued in trunk, no version bump yet

#16 @MattyRob
5 months ago

  • Summary changed from Update PHPMailer to 5.2.19 to Update PHPMailer to 5.2.20

Further bug fix released in the last few hours, now at 5.2.20

@MattyRob
5 months ago

#17 @MattyRob
5 months ago

Above patch is updated against currently bundled version with WordPress modifications maintained. Passes PHPUnit tests for mail.

#18 follow-up: @Presskopp
5 months ago

FYI:

Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes

#19 in reply to: ↑ 18 @lukecavanagh
5 months ago

Replying to Presskopp:

FYI:

Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes

Just noticed the updated release as well.

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.21

#20 @MattyRob
5 months ago

  • Summary changed from Update PHPMailer to 5.2.20 to Update PHPMailer to 5.2.21

It seems just the 'VERSION' file was affected and left at 5.2.19.

Version numbers updated and new patch to follow.

@MattyRob
5 months ago

@dd32
5 months ago

#21 @dd32
5 months ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 39645:

Upgrade PHPMailer from 5.2.14 to 5.2.21.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.14...v5.2.21

Props sebastian.pisula, MattyRob, sfpt, dd32.
Fixes #37210 for trunk.

#22 @dd32
5 months ago

In 39646:

Upgrade PHPMailer from 5.2.14 to 5.2.21.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.14...v5.2.21

Props sebastian.pisula, MattyRob, sfpt, dd32, peterwilsoncc, voldemortensen.
Merges [39645] to the 4.7 branch.
Fixes #37210 for trunk.

#23 @dd32
5 months ago

In 39722:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.6 branch.
See #37210.

#24 @dd32
5 months ago

In 39723:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.5 branch.
See #37210.

#25 @dd32
5 months ago

In 39724:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645] to the 4.4 branch.
See #37210.

#26 @dd32
5 months ago

In 39725:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083] to the 4.3 branch.
See #37210.

#27 @dd32
5 months ago

In 39726:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124] to the 4.2 branch.
See #37210.

#28 @dd32
5 months ago

In 39727:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124] to the 4.1 branch.
See #37210.

#29 @dd32
5 months ago

In 39728:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783] to the 4.0 branch.
See #37210.

#30 @dd32
5 months ago

In 39729:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783] to the 3.9 branch.
See #37210.

#31 @dd32
5 months ago

In 39730:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783], [27385] to the 3.8 branch.
See #37210.

#32 @dd32
5 months ago

In 39731:

Mail: Upgrade PHPMailer to 5.2.21.

Merges [39645], [36083], [33142], [33124], [29783], [27385] to the 3.7 branch.
See #37210.

#33 @dd32
5 months ago

In 39759:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Fixes #37210 for trunk.

#34 @dd32
5 months ago

In 39783:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.7 branch.
Fixes #37210 for 4.7.

#35 @dd32
5 months ago

In 39785:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.6 branch.
Fixes #37210 for 4.6.

#36 @dd32
5 months ago

In 39786:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.5 branch.
Fixes #37210 for 4.5.

#37 @dd32
5 months ago

In 39787:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.4 branch.
Fixes #37210 for 4.4.

#38 @dd32
5 months ago

In 39788:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.3 branch.
Fixes #37210 for 4.3.

#39 @dd32
5 months ago

In 39789:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.2 branch.
Fixes #37210 for 4.2.

#40 @dd32
5 months ago

In 39790:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.1 branch.
Fixes #37210 for 4.1.

#41 @dd32
5 months ago

In 39791:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 4.0 branch.
Fixes #37210 for 4.0.

#42 @dd32
5 months ago

In 39792:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.9 branch.
Fixes #37210 for 3.9.

#43 @dd32
5 months ago

In 39793:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.8 branch.
Fixes #37210 for 3.8.

#44 @dd32
5 months ago

In 39794:

Update PHPMailer to 5.2.22.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22

Merges [39759] to the 3.7 branch.
Fixes #37210 for 3.7.

Note: See TracTickets for help on using tickets.