Feeling Lucky
?
?
?
[#34598] - [4.0] phpmailer - security update
- Fixed in Code Base
- 23 Jun 2021
- Medium
- Build: 4.0-dev
- # 34598
- Diff
- brianteeman:phpmailer
User tests: Successful: Unsuccessful:
This pr addresses two security issues
Version 6.5.0 (June 16th, 2021)
- SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See SECURITY.md for details.
- The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in them will not be run, including operations such as concatenation using the . operator.
- Deprecation The current translation file format using PHP arrays is now deprecated; the next major version will introduce a new format.
- SECURITY Fixes CVE-2021-3603 that may permit untrusted code to be run from an address validator. See SECURITY.md for details.
- The fix for this issue includes a minor BC break: callables injected into validateAddress, or indirectly through the $validator class property, may no longer be simple strings. If you want to inject your own validator, provide a closure instead of a function name.
- Haraka message ID strings are now recognised
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
zero-24
- comment
- 22 Jun 2021
From my understanding of the issues both are not valid for the usage within Joomla. Cause the language file is loaded from within Joomla language files and not from an external UNC path nor do I see where that validateAdress is within the core. Fixing it within the core package and update to the patched version of phpmailer makes sense to me.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-06-23 09:03:10 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
?
?
|
||
wilsonge
- comment
- 23 Jun 2021
Thanks!
richard67
- comment
- 23 Jun 2021
I just started to prepare for testing
matter for https://github.com/orgs/joomla/teams/security ?