Topic Closed
juergen
1.5K Posts
55K Downloads
16 Plugins
design, web development & visual effects

A critical vulnerability has been discovered in PHPmailer, a thirdparty component used by Typesetter CMS.

The current version 5.2.14 which is implemented in Typesetter CMS should be updated IMMEDIATELY to 5.2.21

 

HowTo:

  1. Download PHPmailer's current master ZIP archive from GitHub.
  2. Extract the files class.phpmailer.php, class.pop3.php, class.smtp.php and PHPMailerAutoload.php
  3. Log on to your Webhost (via FTP/SFTP or your control panel. You need file system access)
  4. Overwrite/replace the files in [Typesetter installation root]/include/thirdparty/PHPmailer/ with the new ones.
  5. Done.

 

Links:

Edited: 4 years ago#9906

Rob1n
95 Posts
Thanks Juergen.
4 years ago#9907

Cheers juergen!

Is anyone aware of a list or other way to be notified of security issues which should be addressed in between Typesetter upgrades?

 

3 years ago#9913

juergen
1.5K Posts
55K Downloads
16 Plugins
design, web development & visual effects

… other way to be notified of security issues which should be addressed in between Typesetter upgrades?

Although we had 2 such cases in 2016, they are fortunaltely very rare with Typesetter.
So, to answer your question, there is yet no official channel for that purpose.

If Josh would add a 'Security' forum chapter, anyone could follw it. Should be considered IMO.

For the time being, you could subscribe to my blog feed on my Typesetter Addons page -> http://typesetter-addons.grafikrausz.at/Blog_Feed
While this blog is meant to announce new addon versions, I do also post security issues there (of course I can only report things I'm aware of).

3 years ago#9916

DAL
29 Posts

Hi Juergen,

Thanks for all the info.

Do you know if these files have be added and are now part of the latest full Typesetter 5.0.3 installation zip download?

Thanks,

D.

3 years ago#9917

juergen
1.5K Posts
55K Downloads
16 Plugins
design, web development & visual effects

if these files have be added and are now part of the latest full Typesetter 5.0.3 installation zip download?

No. Thomas issued a pull request on GitHub but it has not been merged yet.
You will have to fix every new installation manually until Typesetter 5.0.4 (or whatever version) will be released.

3 years ago#9918

andrew
14 Posts

Thanks for bringing this up!  I got a security message from Gentoo (the linux distro I use) about this vulnerability, but I didn't realize phpmailer is part of Typesetter.  Worth noting as well is that at least one Typesetter addon "Special Contact Form" also includes phpmailer.

It would be a good idea for anyone to search for these four files on their webserver, if running multiple sites, multiple software, etc. 

3 years ago#9928

Topic Closed

 

News

elFinder 2.1.50 in Upcoming Release
12/28/2019

A new release for Typesetter is in the works with a lot of improvements including the ... Read More

Typesetter 5.1
8/12/2017

Typesetter 5.1 is now available for download. 5.1 includes bug fixes, UI/UX improvements, ... Read More

More News

creisi productions

Dienstleistungen von creisi productions, Luzern (Schweiz): * Konzeption, Planung und Erstellung Ihres Internet-Auftritts * Betreuung und Aktualisierung/Pflege Ihrer Website * ...

Find out more about our Provider Spotlight

Log In

  Register