SECURITY Fix potential object injection vulnerability. CVE-2018-19296. Reported by Sehun Oh of cyberone.kr.
Note that the 5.2 branch is deprecated and will not receive security updates after 31st December 2018.
PHPMailer 5.2.26
Minor security backport from 6.0 - set Debugoutput in constructor according to SAPI in use, avoiding potential XSS in default debug output. Thanks to Bankde Eakasit for spotting it.
PHPMailer 5.2.25
Make obtaining SMTP transaction ID more reliable
Add Bosnian translation
This is the last official release in the legacy PHPMailer 5.2 series; there may be future security patches (which will be found in the 5.2-stable branch), but no further non-security PRs or issues will be accepted. Migrate to PHPMailer 6.0.
PHPMailer 5.2.24
SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
Handle bare codes (an RFC contravention) in SMTP server responses
Make message timestamps more dynamic - calculate the date separately for each message
Include timestamps in HTML-format debug output
Improve Turkish, Norwegian, Serbian, Brazilian Portuguese & simplified Chinese translations
Correction of Serbian ISO language code from sr to rs
Fix matching of multiple entries in Host to match IPv6 literals without breaking port selection (see #1094, caused by a3b4f6b)
Better capture and reporting of SMTP connection errors
PHPMailer 5.2.23
This is a minor maintenance release.
Improve trapping of TLS errors during connection so that they don't cause warnings, and are reported better in debug output
Amend test suite so it uses PHPUnit version 4.8, compatible with older versions of PHP, instead of the version supplied by Travis-CI
This forces pinning of some dev packages to older releases, but should make travis builds more reliable
Test suite now runs on HHVM, and thus so should PHPMailer in general
Improve Czech translations
Add links to CVE-2017-5223 resources
PHPMailer 5.2.22
SECURITY Fix CVE-2017-5223, local file disclosure vulnerability if content passed to msgHTML() is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls to msgHTML() without a $basedir will not import images with relative URLs, and relative URLs containing .. will be ignored.
Add simple contact form example
Emoji in test content
PHPMailer 5.2.21
Fix missed number update in version file - no functional changes
PHPMailer 5.2.20
Important security update!
This release patches the critical vulnerability described in CVE-2016-10045 a remote code execution vulnerability, responsibly reported by Dawid Golunski, and patched by Paul Buonopane (@Zenexer).
Possible side effect - complex sender addresses (such as those used in VERP addressing) may no longer work. We advise switching to the SMTP transport if you need that functionality, and it offers higher performance anyway.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Joomla-Bible-Study/cwmconnect/network/alerts).
dependabot[bot]
commented
4 years ago
Bumps phpmailer/phpmailer from 5.2.16 to 5.2.27.
Release notes
Sourced from phpmailer/phpmailer's releases.
Changelog
Sourced from phpmailer/phpmailer's changelog.
Commits
dde1db15.2.27f1231a9Backport changes for CVE-2018-1929644776b5Backport changes for CVE-2018-192964874af6Fix 5.2-stable branch README.md minimal install links that 404 (#1461)49ae798Add .github directory to export-ignore (#1261)22e8a57Update license file, fixes #124370362995.2.26b6316bbSwitch debug output according to SAPIb6eadbeminor typo change (#1222)d914f73Travis-CI no longer supports PHP 5.3, so remove itDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Joomla-Bible-Study/cwmconnect/network/alerts).