Recent security issues with PHPMailer and SwiftMailer

Recently three security vulnerabilities in PHPMailer and SwiftMailer have been announced:

  • 25.12.2016, CVE-2016-10033 Remote Code Execution vulnerability in PHPMailer

  • 27.12.2016, CVE-2016-10045 Remote Code Execution vulnerability in PHPMailer

  • 28.12.2016, CVE-2016-10074 Remote Code Execution vulnerability in SwiftMailer

All three mention Yii among the affected frameworks in the initial release, so we want to comment on this to clarify who is affected and what action is required.

About PHPMailer, Yii has never officially provided any mailing component related to PHPMailer, nor do we bundle PHPMailer in any code released officially by the Yii team.

The mentioning of Yii in the report was a copy and paste from the PHPMailer README, which claims that you can use it with Yii.

As patches are available, the required action is to simply upgrade PHPMailer to at least version 5.2.20, if you use it.

The situation is different with SwiftMailer for which we provide a Yii2 extension: yii2-swiftmailer.

The details are described in the following.

See our news post for details.