automated-survey-laravel icon indicating copy to clipboard operation
automated-survey-laravel copied to clipboard

Published 20 hours ago verified publisher icon TwilioDevEd

[Security] Bump swiftmailer/swiftmailer from 5.4.3 to 5.4.12

Open dependabot-preview[bot] opened this issue 6 years ago • 0 comments

Bumps swiftmailer/swiftmailer from 5.4.3 to 5.4.12. This update includes a security fix.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Remote Code Execution when using the mail transport

Affected versions: >=4.0.0, <5.0.0; >=5.0.0, <5.4.5

Changelog

Sourced from swiftmailer/swiftmailer's changelog.

5.4.12 (2018-07-31)

  • fixed typo

5.4.11 (2018-07-31)

  • fixed startTLS support for PHP 5.6-

5.4.10 (2018-07-27)

  • fixed startTLS only allowed tls1.0, now allowed: tls1.0, tls1.1, tls1.2

5.4.9 (2018-01-23)

  • no changes, last version of the 5.x series

5.4.8 (2017-05-01)

  • fixed encoding inheritance in addPart()
  • fixed sorting MIME children when their types are equal

5.4.7 (2017-04-20)

  • fixed NTLMAuthenticator clobbering bcmath scale

5.4.6 (2017-02-13)

  • removed exceptions thrown in destructors as they lead to fatal errors
  • switched to use sha256 by default in DKIM as per the RFC
  • fixed an 'Undefined variable: pipes' PHP notice
  • fixed long To headers when using the mail transport
  • fixed NTLMAuthenticator when no domain is passed with the username
  • prevented fatal error during unserialization of a message
  • fixed a PHP warning when sending a message that has a length of a multiple of 8192

5.4.5 (2016-12-29)

  • SECURITY FIX: fixed CVE-2016-10074 by disallowing potentially unsafe shell characters

    Prior to 5.4.5, the mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the "From", "ReturnPath" or "Sender" header came from a non-trusted source, potentially allowing Remote Code Execution

... (truncated)
Commits
  • 181b89f prepared the 5.4.12 release
  • dccdd7c updated CHANGES
  • d96063e fixed typo
  • 7c6640e prepared the 5.4.11 release
  • 5a82b2e updated CHANGES
  • d9aed42 refactored code
  • 421299e bug #1112 wxu: Fix release version is not compatible with low version PHP (wxu)
  • c14b7af wxu: Fix release version is not compatible with low version PHP
  • dd71cc1 prepared the 5.4.10 release
  • 5fbe82f Allow explicit tls1.0, tls1.1, tls1.2 for startTLS
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

dependabot-preview[bot] avatar Aug 16 '19 07:08 dependabot-preview[bot]