Hi All,
newbie here so please be gentle, and apologies if this is a FAQ ... I have googled but not found what I need.
We have several Linux (centos) servers running mantis for differing uses... the versions running are
1.2.3
1.2.15
We are aware of a phpmailer vulnerability that requires phpmailer to be updated
https://legalhackers.com/advisories/PHP ... -Vuln.html ->
https://legalhackers.com/advisories/PHP ... ypass.html
All I can glean form them is that there is no official solution yet
Has anybody else come across this?
If however the simple answer is just to upgrade phpmailer to a version > 5.2.20
the current version is 5.2.22...
but then how do I upgrade it? I've googled for how to do it and found nothing for Linux servers.
any help gratefully accepted.
cheers
didds
How to upgrade phpmailer within mantis
Moderators: Developer, Contributor
Re: How to upgrade phpmailer within mantis
There are a lot of known security issues in this MantisBT version.didds wrote: 1.2.3
There are some known security issues in this MantisBT version.didds wrote: 1.2.15
This vulnerability is harmless compared to what I mentioned above.didds wrote: We are aware of a phpmailer vulnerability that requires phpmailer to be updated
I even think that Mantis is not affected by it.
I recommend to upgrade to latest stable MantisBT 1.3.x as
a) there are a lot of security related fixes in it
b) it comes with newer bundled phpmailer
Currently available in version 1.3.5
http://www.mantisbt.org/bugs/view.php?id=22073
Newer version will be available in 1.3.6 (expected end of January)
You might also consider to use 2.0.x.
http://www.mantisbt.org/bugs/view.php?id=22207
Re: How to upgrade phpmailer within mantis
Yup - totally agree with the comments about vulnerable versions - there is a project underway to upgrade them as it is.
Its just that at the same time this other vulneravbility has appeared and Ive been tasked with patching it.
cheers
didds
Its just that at the same time this other vulneravbility has appeared and Ive been tasked with patching it.
cheers
didds
Last edited by didds on 19 Jan 2017, 13:31, edited 1 time in total.
Re: How to upgrade phpmailer within mantis
so... in the meantime...
how do i upgrade the version of phpmailer that we currently have?
Or is the accepted view (source needed ~;-) that it just isn't an issue?
cheers
didds
how do i upgrade the version of phpmailer that we currently have?
Or is the accepted view (source needed ~;-) that it just isn't an issue?
cheers
didds
Re: How to upgrade phpmailer within mantis
This vulnerability is harmless compared to what I mentioned above.atrol wrote:There are a lot of known security issues in this MantisBT version.didds wrote: 1.2.3There are some known security issues in this MantisBT version.didds wrote: 1.2.15didds wrote: We are aware of a phpmailer vulnerability that requires phpmailer to be updated
I even think that Mantis is not affected by it.
cheers for those ! Is there a source for those vulnerabilities cos I want to show the business reason for updating mantis earlier than planned
cheers
didds
Re: How to upgrade phpmailer within mantis
This should be enough to show people that running MantisBT 1.2.3 is no good idea in terms of security
https://www.mantisbt.org/bugs/search.ph ... tch_type=0
https://www.mantisbt.org/bugs/search.ph ... tch_type=0