community/pipermail-archives/sup-talk/2013-10.txt (1614B) - raw
1 From eg@gaute.vetsj.com Tue Oct 29 10:54:58 2013
2 From: eg@gaute.vetsj.com (Gaute Hope)
3 Date: Tue, 29 Oct 2013 11:54:58 +0100
4 Subject: [sup-talk] Security advisory, releases 0.13.2.1 and 0.14.1.1
5 Message-ID: <1383043976-sup-2451@qwerzila>
6
7 Greetings,
8
9 Security advisory (#SBU1) for Sup
10
11 We have been notified of an potential exploit in the somewhat careless
12 way Sup treats attachment metadata in received e-mails. The issues
13 should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
14 incorporates these fixes. Please upgrade immediately and also ensure
15 that your mime-decode or mime-view hooks are secure [0], [1].
16
17 This is specifically related to using quotes (',") around filename or
18 content_type which is already escaped using Ruby Shellwords.escape -
19 this means that the string (content_type, filename) is intended to be
20 used _without_ any further quotes. Please make sure that if you use
21 .mailcap (non OSX systems), you do not quote the string.
22
23 Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
24 discovered and suggested fixes for these issues.
25
26 [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
27 [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
28
29 You can use 'gem' to upgrade or install sup. Please report any issues
30 to: https://github.com/sup-heliotrope/sup/issues
31
32 Regards, Gaute
33
34 -------------- next part --------------
35 A non-text attachment was scrubbed...
36 Name: signature.asc
37 Type: application/pgp-signature
38 Size: 836 bytes
39 Desc: not available
40 URL: <http://rubyforge.org/pipermail/sup-talk/attachments/20131029/fb6f449a/attachment-0001.bin>
41