I've just released symfony 1.0.5. If you use the symfony built-in phpmailer (and you do if you use the ->sendMail() method in your actions), you must upgrade to this release or apply the following patch: http://trac.symfony-project.com/trac/changeset/4380?format=diff&new=4380.

PHPMailer has a remote command execution vulnerability if you have configured it to use sendmail. You can find more information about this issue here: http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/

Here are all bugs fixed in this release:

r4387: fixed input_date_range_tag - Illegal attributes in input tags (#1883)
r4385: fixed issue relating to lock files (#1874)
r4380: fixed vulnerability in phpmailer with sender (#1871)
r4323: fixed DOMDocument E_STRICT warning and trans-unit max id in XLIFF support
r4320: fixed sfToolkit::isUTF8() broken for strings larger than some number
r4305: added i18n schema for MySQL and SQLite in API documentation

As for every 1.0.X release, after upgrading to 1.0.5, don't forget to clear the cache of your projects.

Published in #Releases #Security Advisories

E.T.Cook said on Jun 25, 2007 at 23:18

I just upgraded, and when I do a symfony -V, the version went down from 1.0.4 to 1.0.3 ironically...and i should be 1.0.5! Is it just semantic?

rihad said on Jun 27, 2007 at 12:30

I have a suggestion: make 1.0.x 0.9.x or some such, and release 1.0 as soon as Symfony has validation at the model, not controller, level (design issue).

Adriaan said on Jul 8, 2007 at 16:30

Nice update... Only trouble...

-bash-3.1$ symfony propel-build-all

Fatal error: Unsupported operand types in /usr/share/pear/symfony/util/Spyc.class.php on line 667

Call Stack: 0.0007 40128 1. {main}() /usr/bin/symfony:0 0.0026 86816 2. include('/usr/share/pear/data/symfony/bin/symfony.php') /usr/bin/symfony:39 0.1036 1622008 3. pakeApp->run() /usr/share/pear/data/symfony/bin/symfony.php:171 0.1176 1710944 4. pakeTask->invoke() /usr/share/pear/symfony/vendor/pake/pakeApp.class.php:143 0.1193 1711296 5. pakeTask->execute() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:181 0.1194 1711296 6. call_user_func_array() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:218 0.1194 1711296 7. run_propel_build_all() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:0 0.1194 1711296 8. run_propel_build_model() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:159 0.1194 1711296 9. _propel_convert_yml_schema() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:172 0.4383 1928136 10. sfPropelDatabaseSchema->loadYAML() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:71 0.4392 1943328 11. sfYaml::load() /usr/share/pear/symfony/addon/propel/sfPropelDatabaseSchema.class.php:31 0.4461 2141880 12. Spyc->load() /usr/share/pear/symfony/util/sfYaml.class.php:59 0.4524 2147816 13. Spyc->_parseLine() /usr/share/pear/symfony/util/Spyc.class.php:256 0.4525 2147960 14. Spyc->_toType() /usr/share/pear/symfony/util/Spyc.class.php:591

judas_iscariote said on Jul 12, 2007 at 05:20

What about removing phpmailer completely and switch the symfony code to SwiftMailer. ?

symfony 1.0.5 released (security fix)

Comments

Become a Symfony contributor