Skip to content

Commit

Permalink
Updating PHPMailer to v5.2.26
Browse files Browse the repository at this point in the history 
Fixing minor security issue, potential XSS if debug output is activated.

Composer:
  - Updating phpmailer/phpmailer (v5.2.25 => v5.2.26)

Fixes #23830
  • Loading branch information
@dregad
dregad committed Jan 11, 2018
1 parent 88db55e commit c883b83
Showing 1 changed file with 39 additions and 40 deletions.
79 changes: 39 additions & 40 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 comments on commit c883b83

@atrol
Copy link
Member

@atrol atrol commented on c883b83 Jan 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dregad
I had this also on my todo list, but my plan was to change composer.json to

       "phpmailer/phpmailer": "^5.2.26",

and run composer update after it to update composer.lock.

I though this would be the better way to make a clear statement that MantisBT should not be used with any older version of phpmailer than 5.2.16, especially as this is a security related version requirement.

@dregad
Copy link
Member Author

@dregad dregad commented on c883b83 Jan 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I did not do as you suggest, is because the fixes included in releases 5.2.23 and later (including the security ones), are technically not affecting us (in an out-of-the-box configuration), so a simple composer install will already pick up the latest 5.2.26 version with this commit.

That being said, I don't have a strong objection against such change.

Please sign in to comment.