#37210 closed task (blessed) (fixed)
Update PHPMailer to 5.2.21
Reported by: | MattyRob | Owned by: | dd32 |
---|---|---|---|
Milestone: | 4.7.1 | Priority: | normal |
Severity: | critical | Version: | |
Component: | External Libraries | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
About 3 weeks about a new version of PHPMailer was released in the 5.x.x branch and efforts continue in the 6.x.x branch.
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.16
We should investigate whether we can / should update to the 6.x.x branch (which seems to need PHP 5.5) when released or simply update in the current 5.x.x branch
Attachments (9)
Change History (53)
#3
@
8 years ago
- Keywords needs-refresh added
- Summary changed from Update PHPMailer to 5.2.16 to Update PHPMailer to 5.2.19
#7
follow-up:
↓ 11
@
8 years ago
I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.
Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.
#8
@
8 years ago
37210v2 patch is passing PHPUnit tests and also basic emails in live WordPress usage.
#11
in reply to:
↑ 7
@
8 years ago
Replying to MattyRob:
I don't think the most recent patch include the WordPress fix to include the class-smtp.php file when using PHPMailer in SMTP more, simple addition of a call to include the right file.
Also, we don't include the extras subfolder to the class-smtp.php authentication for NTLM will fail - code section therefore removed in the updated patch.
XOAUTH2 is also not included. I'm going to attach a diff between upstream and wordpress and the patch I created.
#12
@
8 years ago
- Severity changed from normal to critical
I think we should bump this up. PHPMailer < 5.2.18 has a critical security hole that will be publicized shortly.
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
#13
@
8 years ago
Still: PHPMailer < 5.2.20 is also vulnerable http://seclists.org/bugtraq/2016/Dec/54- Also this affects not only WordPress 4.6 but latest version as well.
#14
@
8 years ago
- Milestone changed from Awaiting Review to 4.7.1
- Type changed from enhancement to task (blessed)
- Version 4.6 deleted
The WordPress Security team is aware of the PHPMailer issues. We've been in contact with the author and security researchers and discussing the fixes.
Presently, WordPress Core (and as a result, anything utilising wp_mail()
) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail()
does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail()
they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.
The upcoming 4.7.1 release will contain mitigation for these issues, we're committed to only shipping secure libraries with WordPress - regardless of whether we use the feature or not.
We don't have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.
@sebastian.pisula, @MattyRob, @sfpt - Thank you for the patches, and catching the hacks we've made and including them.
edit: Yes, we're also aware of the follow up report(s) to the original issue, and are actively working with all involved. We're going to commit/release something secure, when it's available, rather than rushing it.
#15
@
8 years ago
please before committing, pay attention to new CVE, 5.2.19 issued patch wasnt enough to close problem
https://github.com/PHPMailer/PHPMailer
fix has been issued in trunk, no version bump yet
#16
@
8 years ago
- Summary changed from Update PHPMailer to 5.2.19 to Update PHPMailer to 5.2.20
Further bug fix released in the last few hours, now at 5.2.20
#17
@
8 years ago
Above patch is updated against currently bundled version with WordPress modifications maintained. Passes PHPUnit tests for mail.
#18
follow-up:
↓ 19
@
8 years ago
FYI:
Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes
#19
in reply to:
↑ 18
@
8 years ago
Replying to Presskopp:
FYI:
Version 5.2.21 (December 28th 2016)
Fix missed number update in version file - no functional changes
Just noticed the updated release as well.
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.21
#20
@
8 years ago
- Summary changed from Update PHPMailer to 5.2.20 to Update PHPMailer to 5.2.21
It seems just the 'VERSION' file was affected and left at 5.2.19.
Version numbers updated and new patch to follow.
#39395 was marked as a duplicate.