Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#53430 closed enhancement (fixed)

Update PHPMailer to 6.5.0 security release

Reported by: ayeshrajans's profile ayeshrajans Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.7.3 Priority: normal
Severity: major Version:
Component: External Libraries Keywords: has-patch commit fixed-major
Focuses: Cc:

Description

PHPMailer 6.5 is released a few minutes ago, and contains fixes for an RCE vulnerability discovered in earlier versions. I will submit the changes to a patch, but I think the tests should fail because this release changes the validator, which, IIRC, WordPress overrides.

Attachments (1)

53430.patch (4.5 KB) - added by ayeshrajans 3 years ago.

Download all attachments as: .zip

Change History (11)

#1 @Synchro
3 years ago

It's 6.5.0, not 6.5.1. I think you should be OK with the validator change. What it prevents is injecting a simple string function name as a validator, but function injection or closures will continue to work as before, which I understand is how WordPress uses it. I passed this by WP folks on the security-cooperation channel, and they said as much.

#2 @SergeyBiryukov
3 years ago

  • Milestone changed from Awaiting Review to 5.8

#3 @SergeyBiryukov
3 years ago

  • Summary changed from Update PHPMailer to 6.5.1 security release to Update PHPMailer to 6.5.0 security release

#4 @ayeshrajans
3 years ago

Thank you @Synchro, I indeed had mistakenly typed wrong version number, updating now.

$phpmailer::$validator = static function ( $email ) {
                                return (bool) is_email( $email );
                        };

Apparently this's how the validator is added, so it shouldn't be a problem. I remember there was a ticket on core Trac about the validator failing with the is_email function, and them suggesting to change the validator to something else, hence my suspicious about failing tests.
.
We probably ought to put a dev note about this change

@ayeshrajans
3 years ago

#5 @Synchro
3 years ago

FWIW, despite one of the issues being an RCE, both are pretty impractical to exploit, so the risk is very low.

#6 @SergeyBiryukov
3 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51169:

External Libraries: Upgrade PHPMailer to version 6.5.0.

Release notes: https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0

For a full list of changes in this update, see the PHPMailer GitHub:
https://github.com/PHPMailer/PHPMailer/compare/v6.4.1...v6.5.0

Props ayeshrajans, Synchro.
Fixes #53430.

#7 @SergeyBiryukov
3 years ago

  • Keywords has-patch commit fixed-major added
  • Milestone changed from 5.8 to 5.7.3
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 5.7.3 consideration.

#8 @SergeyBiryukov
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 51170:

External Libraries: Upgrade PHPMailer to version 6.5.0.

Release notes: https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0

For a full list of changes in this update, see the PHPMailer GitHub:
https://github.com/PHPMailer/PHPMailer/compare/v6.4.1...v6.5.0

Props ayeshrajans, Synchro.
Merges [51169] to the 5.7 branch.
Fixes #53430.

This ticket was mentioned in Slack in #hosting-community by crixu. View the logs.


3 years ago

This ticket was mentioned in Slack in #hosting-community by jadonn. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.