Mantis Bug Tracker - Forums


https://mantisbt.org/forums/

How to upgrade phpmailer within mantis

https://mantisbt.org/forums/viewtopic.php?t=24344

Page 1 of 1

How to upgrade phpmailer within mantis

Posted: 18 Jan 2017, 16:57
by didds
Hi All,

newbie here so please be gentle, and apologies if this is a FAQ ... I have googled but not found what I need.

We have several Linux (centos) servers running mantis for differing uses... the versions running are

1.2.3
1.2.15

We are aware of a phpmailer vulnerability that requires phpmailer to be updated

https://legalhackers.com/advisories/PHP ... -Vuln.html ->
https://legalhackers.com/advisories/PHP ... ypass.html

All I can glean form them is that there is no official solution yet

Has anybody else come across this?

If however the simple answer is just to upgrade phpmailer to a version > 5.2.20

the current version is 5.2.22...

but then how do I upgrade it? I've googled for how to do it and found nothing for Linux servers.


any help gratefully accepted.

cheers

didds

Re: How to upgrade phpmailer within mantis

Posted: 18 Jan 2017, 20:10
by atrol
didds wrote: 1.2.3
There are a lot of known security issues in this MantisBT version.
didds wrote: 1.2.15
There are some known security issues in this MantisBT version.
didds wrote: We are aware of a phpmailer vulnerability that requires phpmailer to be updated
This vulnerability is harmless compared to what I mentioned above.
I even think that Mantis is not affected by it.

I recommend to upgrade to latest stable MantisBT 1.3.x as
a) there are a lot of security related fixes in it
b) it comes with newer bundled phpmailer

Currently available in version 1.3.5
http://www.mantisbt.org/bugs/view.php?id=22073

Newer version will be available in 1.3.6 (expected end of January)

You might also consider to use 2.0.x.
http://www.mantisbt.org/bugs/view.php?id=22207

Re: How to upgrade phpmailer within mantis

Posted: 19 Jan 2017, 11:35
by didds
Yup - totally agree with the comments about vulnerable versions - there is a project underway to upgrade them as it is.

Its just that at the same time this other vulneravbility has appeared and Ive been tasked with patching it.

cheers

didds

Re: How to upgrade phpmailer within mantis

Posted: 19 Jan 2017, 11:40
by didds
so... in the meantime...

how do i upgrade the version of phpmailer that we currently have?

Or is the accepted view (source needed ~;-) that it just isn't an issue?

cheers

didds

Re: How to upgrade phpmailer within mantis

Posted: 19 Jan 2017, 11:58
by didds
atrol wrote:
didds wrote: 1.2.3
There are a lot of known security issues in this MantisBT version.
didds wrote: 1.2.15
There are some known security issues in this MantisBT version.
didds wrote: We are aware of a phpmailer vulnerability that requires phpmailer to be updated
This vulnerability is harmless compared to what I mentioned above.
I even think that Mantis is not affected by it.

cheers for those ! Is there a source for those vulnerabilities cos I want to show the business reason for updating mantis earlier than planned :-)


cheers

didds

Re: How to upgrade phpmailer within mantis

Posted: 19 Jan 2017, 15:49
by atrol
This should be enough to show people that running MantisBT 1.2.3 is no good idea in terms of security

https://www.mantisbt.org/bugs/search.ph ... tch_type=0
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited