Releases: PHPMailer/PHPMailer
PHPMailer 5.2.24
- SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The
code_generator.phps
example did not filter user input prior to output. This file is distributed with a.phps
extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project. - Handle bare codes (an RFC contravention) in SMTP server responses
- Make message timestamps more dynamic - calculate the date separately for each message
- Include timestamps in HTML-format debug output
- Improve Turkish, Norwegian, Serbian, Brazilian Portuguese & simplified Chinese translations
- Correction of Serbian ISO language code from
sr
tors
- Fix matching of multiple entries in
Host
to match IPv6 literals without breaking port selection (see #1094, caused by a3b4f6b) - Better capture and reporting of SMTP connection errors
PHPMailer 5.2.23
This is a minor maintenance release.
- Improve trapping of TLS errors during connection so that they don't cause warnings, and are reported better in debug output
- Amend test suite so it uses PHPUnit version 4.8, compatible with older versions of PHP, instead of the version supplied by Travis-CI
- This forces pinning of some dev packages to older releases, but should make travis builds more reliable
- Test suite now runs on HHVM, and thus so should PHPMailer in general
- Improve Czech translations
- Add links to CVE-2017-5223 resources
PHPMailer 6.0.0rc5
Overhaul handling of line break format to be much more consistent. Should solve issues on Windows PHP versions, though it's still subject to a bug that's being fixed in PHP 7.0.17 and PHP 7.1.3. See #953 for discussion of the issue and several reasonable workarounds.
PHPMailer 6.0.0rc4
- Migrate recent security fixes from master for CVE-2016-10033, CVE-2016-10045, CVE-2017-5223
- Add more tests for line break formats
- Remove unused
LE
property.
PHPMailer 5.2.22
- SECURITY Fix CVE-2017-5223, local file disclosure vulnerability if content passed to
msgHTML()
is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls tomsgHTML()
without a$basedir
will not import images with relative URLs, and relative URLs containing..
will be ignored. - Add simple contact form example
- Emoji in test content
PHPMailer 5.2.21
Fix missed number update in version file - no functional changes
PHPMailer 5.2.20
Important security update!
This release patches the critical vulnerability described in CVE-2016-10045 a remote code execution vulnerability, responsibly reported by Dawid Golunski, and patched by Paul Buonopane (@Zenexer).
Possible side effect - complex sender addresses (such as those used in VERP addressing) may no longer work. We advise switching to the SMTP transport if you need that functionality, and it offers higher performance anyway.
Please update your systems as soon as possible.
Additional notes on this incident are available in the PHPMailer wiki.
Note that the vulnerability described in here likely affects many other projects in a similar way, so please practice responsible disclosure, and help project maintainers fix security issues.
PHPMailer 5.2.19
Minor cleanup
- Fix broken version constant
- Remove duplicate check for Sender address
If you are running any version of PHPMailer prior to 5.2.18, you should update as soon as possible.
PHPMailer 5.2.18
- SECURITY Critical security update for CVE-2016-10033 please update now! Thanks to Dawid Golunski.
- Add ability to extract the SMTP transaction ID from some common SMTP success messages
- Minor documentation tweaks
PHPMailer 6.0.0rc3
Hopefully the last release candidate. Breaks a few more things - more use of constants, last few changes from master merged in.