Skip to content
This repository has been archived by the owner on Feb 4, 2021. It is now read-only.

Bump phpmailer/phpmailer from 5.2.16 to 5.2.27 #370

Closed

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Mar 6, 2020

Bumps phpmailer/phpmailer from 5.2.16 to 5.2.27.

Release notes

Sourced from phpmailer/phpmailer's releases.

PHPMailer 5.2.27

  • SECURITY Fix potential object injection vulnerability. CVE-2018-19296. Reported by Sehun Oh of cyberone.kr.

Note that the 5.2 branch is deprecated and will not receive security updates after 31st December 2018.

PHPMailer 5.2.26

  • Minor security backport from 6.0 - set Debugoutput in constructor according to SAPI in use, avoiding potential XSS in default debug output. Thanks to Bankde Eakasit for spotting it.

PHPMailer 5.2.25

  • Make obtaining SMTP transaction ID more reliable
  • Add Bosnian translation

This is the last official release in the legacy PHPMailer 5.2 series; there may be future security patches (which will be found in the 5.2-stable branch), but no further non-security PRs or issues will be accepted. Migrate to PHPMailer 6.0.

PHPMailer 5.2.24

  • SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
  • Handle bare codes (an RFC contravention) in SMTP server responses
  • Make message timestamps more dynamic - calculate the date separately for each message
  • Include timestamps in HTML-format debug output
  • Improve Turkish, Norwegian, Serbian, Brazilian Portuguese & simplified Chinese translations
  • Correction of Serbian ISO language code from sr to rs
  • Fix matching of multiple entries in Host to match IPv6 literals without breaking port selection (see #1094, caused by a3b4f6b)
  • Better capture and reporting of SMTP connection errors

PHPMailer 5.2.23

This is a minor maintenance release.

  • Improve trapping of TLS errors during connection so that they don't cause warnings, and are reported better in debug output
  • Amend test suite so it uses PHPUnit version 4.8, compatible with older versions of PHP, instead of the version supplied by Travis-CI
  • This forces pinning of some dev packages to older releases, but should make travis builds more reliable
  • Test suite now runs on HHVM, and thus so should PHPMailer in general
  • Improve Czech translations
  • Add links to CVE-2017-5223 resources

PHPMailer 5.2.22

  • SECURITY Fix CVE-2017-5223, local file disclosure vulnerability if content passed to msgHTML() is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls to msgHTML() without a $basedir will not import images with relative URLs, and relative URLs containing .. will be ignored.
  • Add simple contact form example
  • Emoji in test content

PHPMailer 5.2.21

Fix missed number update in version file - no functional changes

PHPMailer 5.2.20

Important security update!

This release patches the critical vulnerability described in CVE-2016-10045 a remote code execution vulnerability, responsibly reported by Dawid Golunski, and patched by Paul Buonopane (@Zenexer).

Possible side effect - complex sender addresses (such as those used in VERP addressing) may no longer work. We advise switching to the SMTP transport if you need that functionality, and it offers higher performance anyway.

Please update your systems as soon as possible.

... (truncated)
Changelog

Sourced from phpmailer/phpmailer's changelog.

Version 5.2.27 (November 14th 2018)

  • SECURITY Fix potential object injection vulnerability. Reported by Sehun Oh of cyberone.kr.
  • Note that the 5.2 branch is now deprecated and will not receive security updates after 31st December 2018.

Version 6.0.5 (March 27th 2018)

  • Re-roll of 6.0.4 to fix missed version file entry. No code changes.

Version 6.0.4 (March 27th 2018)

  • Add some modern MIME types
  • Add Hindi translation (thanks to @dextel2)
  • Improve composer docs
  • Fix generation of path to language files

Version 6.0.3 (January 5th 2018)

  • Correct DKIM canonicalization of line breaks for header & body - thanks to @themichaelhall
  • Make dependence on ext-filter explicit in composer.json

Version 6.0.2 (November 29th 2017)

  • Don't make max line length depend on line break format
  • Improve Travis-CI config - thanks to Filippo Tessarotto
  • Match SendGrid transaction IDs
  • idnSupported() now static, as previously documented
  • Improve error messages for invalid addresses
  • Improve Indonesian translation (thanks to @januridp)
  • Improve Esperanto translation (thanks to @dknacht)
  • Clean up git export ignore settings for production and zip bundles
  • Update license doc
  • Updated upgrading docs
  • Clarify addStringEmbeddedImage docs
  • Hide auth credentials in all but lowest level debug output, prevents leakage in bug reports
  • Code style cleanup

Version 6.0.1 (September 14th 2017)

  • Use shorter Message-ID headers (with more entropy) to avoid iCloud blackhole bug
  • Switch to Symfony code style (though it's not well defined)
  • CI builds now apply syntax & code style checks, so make your PRs tidy!
  • CI code coverage only applied on latest version of PHP to speed up builds (thanks to @Slamdunk for these CI changes)
  • Remove composer.lock - it's important that libraries break early; keeping it is for apps
  • Rename test scripts to PSR-4 spec
  • Make content-id values settable on attachments, not just embedded items
  • Add SMTP transaction IDs to callbacks & allow for future expansion
  • Expand test coverage

Version 6.0 (August 28th 2017)

This is a major update that breaks backwards compatibility.

  • Requires PHP 5.5 or later
  • Uses the PHPMailer\PHPMailer namespace
  • File structure simplified and PSR-4 compatible, classes live in the src/ folder
  • The custom autoloader has been removed: use composer!
... (truncated)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Mar 6, 2020
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github May 27, 2020

Superseded by #371.

@dependabot dependabot bot closed this May 27, 2020
@dependabot dependabot bot deleted the dependabot/composer/phpmailer/phpmailer-5.2.27 branch May 27, 2020 17:09
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file php Pull requests that update Php code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants