<div dir="auto">WordPress probably uses its own version which, I assume, they will maintain afterwards.<div dir="auto"><br></div><div dir="auto">I'll see if I can find more about what they're doing with it for the longer term.</div><div dir="auto"><br></div><div dir="auto">The easiest way for me is to just drop the depends.</div><div dir="auto"><br></div><div dir="auto"> - Craig</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, 8 Dec. 2018, 02:06 Salvatore Bonaccorso <<a href="mailto:carnil@debian.org">carnil@debian.org</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Control: severity -1 serious<br>
<br>
As mentioned in<br>
<a href="https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27" rel="noreferrer noreferrer" target="_blank">https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27</a> the 5.2<br>
branch is deprecated and will not recieve security updates anymore<br>
after 31st December 2018.<br>
<br>
This is not an issue per se, as we usually need to backport fixes to<br>
older versions in general for bugfixes but in particular for<br>
security-fixes; but starting buster with a know deprecated and not<br>
supported version given upstream actively develops on the 6.x branch<br>
looks somehow problematic for the buster release cycle.<br>
<br>
For this concern, I'm raising the severity to RC.<br>
<br>
there are a couple of packages with Depends or Build-Depends on<br>
libphp-phpmailer, and I'm X-Debbugs-CC'ing those here.<br>
<br>
# Broken Depends:<br>
cacti: cacti<br>
tt-rss: tt-rss<br>
wordpress: wordpress<br>
<br>
# Broken Build-Depends:<br>
wordpress: libphp-phpmailer (>= 5.2.14)<br>
<br>
Regards,<br>
Salvatore<br>
</blockquote></div>