symfony 1.0.5 released (security fix)

I've just released symfony 1.0.5. If you use the symfony built-in phpmailer (and you do if you use the ->sendMail() method in your actions), you must upgrade to this release or apply the following patch: http://trac.symfony-project.com/trac/changeset/4380?format=diff&new=4380.

PHPMailer has a remote command execution vulnerability if you have configured it to use sendmail. You can find more information about this issue here: http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/

Here are all bugs fixed in this release:

  • r4387: fixed input_date_range_tag - Illegal attributes in input tags (#1883)
  • r4385: fixed issue relating to lock files (#1874)
  • r4380: fixed vulnerability in phpmailer with sender (#1871)
  • r4323: fixed DOMDocument E_STRICT warning and trans-unit max id in XLIFF support
  • r4320: fixed sfToolkit::isUTF8() broken for strings larger than some number
  • r4305: added i18n schema for MySQL and SQLite in API documentation

As for every 1.0.X release, after upgrading to 1.0.5, don't forget to clear the cache of your projects.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

I just upgraded, and when I do a symfony -V, the version went down from 1.0.4 to 1.0.3 ironically...and i should be 1.0.5! Is it just semantic?
I have a suggestion: make 1.0.x 0.9.x or some such, and release 1.0 as soon as Symfony has validation at the model, not controller, level (design issue).
Nice update... Only trouble...

-bash-3.1$ symfony propel-build-all

Fatal error: Unsupported operand types in /usr/share/pear/symfony/util/Spyc.class.php on line 667

Call Stack:
0.0007 40128 1. {main}() /usr/bin/symfony:0
0.0026 86816 2. include('/usr/share/pear/data/symfony/bin/symfony.php') /usr/bin/symfony:39
0.1036 1622008 3. pakeApp->run() /usr/share/pear/data/symfony/bin/symfony.php:171
0.1176 1710944 4. pakeTask->invoke() /usr/share/pear/symfony/vendor/pake/pakeApp.class.php:143
0.1193 1711296 5. pakeTask->execute() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:181
0.1194 1711296 6. call_user_func_array() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:218
0.1194 1711296 7. run_propel_build_all() /usr/share/pear/symfony/vendor/pake/pakeTask.class.php:0
0.1194 1711296 8. run_propel_build_model() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:159
0.1194 1711296 9. _propel_convert_yml_schema() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:172
0.4383 1928136 10. sfPropelDatabaseSchema->loadYAML() /usr/share/pear/data/symfony/tasks/sfPakePropel.php:71
0.4392 1943328 11. sfYaml::load() /usr/share/pear/symfony/addon/propel/sfPropelDatabaseSchema.class.php:31
0.4461 2141880 12. Spyc->load() /usr/share/pear/symfony/util/sfYaml.class.php:59
0.4524 2147816 13. Spyc->_parseLine() /usr/share/pear/symfony/util/Spyc.class.php:256
0.4525 2147960 14. Spyc->_toType() /usr/share/pear/symfony/util/Spyc.class.php:591
What about removing phpmailer completely and switch the symfony code to SwiftMailer. ?

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.