minor #847 Clarify CVE / security fix (barryvdh)

This PR was merged into the 5.x branch. Discussion ---------- Clarify CVE / security fix Not sure if you want to be this explicit, but took the example from below. Also, there is an CVE for Swiftmailer, instead those two from phpmailer, see https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html Commits ------- 5b04f81 Clarify CVE / security fix
swiftmailer · Dec 29, 2016 · e341230 · e341230
2 parents 5d352e6 + 5b04f81
commit e341230
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -10,7 +10,11 @@ Changelog
 5.4.5 (2016-12-29)
 ------------------
 
- * fixed CVE-2016-10033 and CVE-2016-10045
+ * SECURITY FIX:  fixed CVE-2016-10074 by disallowing potentially unsafe shell characters
+
+   Prior to 5.4.5, the mail transport (Swift_Transport_MailTransport) was vulnerable to passing
+   arbitrary shell arguments if the "From", "ReturnPath" or "Sender" header came
+   from a non-trusted source, potentially allowing Remote Code Execution
  * deprecated the mail transport
 
 5.4.4 (2016-11-23)