I've just released symfony 1.0.5. If you use the symfony built-in phpmailer (and you do if you use the ->sendMail() method in your actions), you must upgrade to this release or apply the following patch: http://trac.symfony-project.com/trac/changeset/4380?format=diff&new=4380.
PHPMailer has a remote command execution vulnerability if you have configured it to use sendmail. You can find more information about this issue here: http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
Here are all bugs fixed in this release:
- r4387: fixed input_date_range_tag - Illegal attributes in input tags (#1883)
- r4385: fixed issue relating to lock files (#1874)
- r4380: fixed vulnerability in phpmailer with sender (#1871)
- r4323: fixed DOMDocument E_STRICT warning and trans-unit max id in XLIFF support
- r4320: fixed sfToolkit::isUTF8() broken for strings larger than some number
- r4305: added i18n schema for MySQL and SQLite in API documentation
As for every 1.0.X release, after upgrading to 1.0.5, don't forget to clear the cache of your projects.