Component Type: Non-core package for Flow
Vulnerability Type: Remote code execution
Severity: Critical
Affected Versions: All typo3/swiftmailer and neos/swiftmailer versions before 5.4.5
Release Date: January 6th, 2017
Suggested CVSS v3.0: n/a
CVE: CVE-2016-10074 (assigned to original vulnerability)
Problem Description
A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. See this advisory for details. If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still recommended!
Solution
Versions 5.4.5 fixes the issue and users are encouraged to update immediately. The patch level release of our neos/swiftmailer package can be fetched via composer and contains no breaking changes.
Hint: If you still require typo3/swiftmailer, you should change this to neos/swiftmailer while you are at it.