PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar
Deserialization via addAttachment with a UNC pathname. NOTE: this is similar
to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in
which UNC pathnames were always considered unreadable by PHPMailer, even in
safe contexts. As an unintended side effect, this fix eliminated the code
that blocked addAttachment exploitation.
All done (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=516dae1a577f330b2aac5245cbbf41bd3a18ce15), repository is clean.