#53430 closed enhancement (fixed)
Update PHPMailer to 6.5.0 security release
Reported by: | ayeshrajans | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.7.3 | Priority: | normal |
Severity: | major | Version: | |
Component: | External Libraries | Keywords: | has-patch commit fixed-major |
Focuses: | Cc: |
Description
PHPMailer 6.5 is released a few minutes ago, and contains fixes for an RCE vulnerability discovered in earlier versions. I will submit the changes to a patch, but I think the tests should fail because this release changes the validator, which, IIRC, WordPress overrides.
Attachments (1)
Change History (11)
#3
@
3 years ago
- Summary changed from Update PHPMailer to 6.5.1 security release to Update PHPMailer to 6.5.0 security release
#4
@
3 years ago
Thank you @Synchro, I indeed had mistakenly typed wrong version number, updating now.
$phpmailer::$validator = static function ( $email ) {
return (bool) is_email( $email );
};
Apparently this's how the validator is added, so it shouldn't be a problem. I remember there was a ticket on core Trac about the validator failing with the is_email
function, and them suggesting to change the validator to something else, hence my suspicious about failing tests.
.
We probably ought to put a dev note about this change
#5
@
3 years ago
FWIW, despite one of the issues being an RCE, both are pretty impractical to exploit, so the risk is very low.
#6
@
3 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 51169:
#7
@
3 years ago
- Keywords has-patch commit fixed-major added
- Milestone changed from 5.8 to 5.7.3
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for 5.7.3 consideration.
It's 6.5.0, not 6.5.1. I think you should be OK with the validator change. What it prevents is injecting a simple string function name as a validator, but function injection or closures will continue to work as before, which I understand is how WordPress uses it. I passed this by WP folks on the security-cooperation channel, and they said as much.