commit 50377326e05409affa77d73aa4673bc6c2765403
parent 280192c809088ebebd9908819d1a4811717353db
Author: Gaute Hope <eg@gaute.vetsj.com>
Date: Tue, 29 Oct 2013 11:22:16 +0100
Include notes from version 0.13.2.1
Conflicts:
lib/sup/version.rb
Conflicts:
CONTRIBUTORS
History.txt
ReleaseNotes
Diffstat:
3 files changed, 41 insertions(+), 16 deletions(-)
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -3,7 +3,9 @@ Rich Lane <rlane at the club.cc.cmu dot edus>
Gaute Hope <eg at the gaute.vetsj dot coms>
Whyme Lyu <callme5long at the gmail dot coms>
Hamish Downer <dmishd at the gmail dot coms>
+Damien Leone <damien.leone at the fensalir dot frs>
Sascha Silbe <sascha-pgp at the silbe dot orgs>
+Eric Weikl <eric.weikl at the tngtech dot coms>
Ismo Puustinen <ismo at the iki dot fis>
Nicolas Pouillard <nicolas.pouillard at the gmail dot coms>
Michael Stapelberg <michael at the stapelberg dot des>
@@ -15,54 +17,54 @@ Clint Byrum <clint at the ubuntu dot coms>
Marcus Williams <marcus-sup at the bar-coded dot nets>
Lionel Ott <white.magic at the gmx dot des>
Gaudenz Steinlin <gaudenz at the soziologie dot chs>
-Damien Leone <damien.leone at the fensalir dot frs>
-Ingmar Vanhassel <ingmar at the exherbo dot orgs>
Mark Alexander <marka at the pobox dot coms>
-Eric Weikl <eric.weikl at the gmx dot nets>
+Ingmar Vanhassel <ingmar at the exherbo dot orgs>
+Edward Z. Yang <ezyang at the mit dot edus>
Christopher Warrington <chrisw at the rice dot edus>
W. Trevor King <wking at the drexel dot edus>
Richard Brown <rbrown at the exherbo dot orgs>
Anthony Martinez <pi+sup at the pihost dot uss>
Marc Hartstein <marc.hartstein at the alum.vassar dot edus>
-Israel Herraiz <israel.herraiz at the gmail dot coms>
Matthieu Rakotojaona <matthieu.rakotojaona at the gmail dot coms>
+Israel Herraiz <israel.herraiz at the gmail dot coms>
Bo Borgerson <gigabo at the gmail dot coms>
Michael Hamann <michael at the content-space dot des>
Jonathan Lassoff <jof at the thejof dot coms>
William Erik Baxter <web at the superscript dot coms>
Grant Hollingworth <grant at the antiflux dot orgs>
+Adeodato Simó <dato at the net.com.org dot ess>
Ico Doornekamp <ico at the pruts dot nls>
Markus Klinik <markus.klinik at the gmx dot des>
-Adeodato Simó <dato at the net.com.org dot ess>
Daniel Schoepe <daniel.schoepe at the googlemail dot coms>
Jason Petsod <jason at the petsod dot orgs>
-Edward Z. Yang <edwardzyang at the thewritingpot dot coms>
-Steve Goldman <sgoldman at the tower-research dot coms>
+James Taylor <james at the jamestaylor dot orgs>
Robin Burchell <viroteck at the viroteck dot nets>
+Steve Goldman <sgoldman at the tower-research dot coms>
Peter Harkins <ph at the malaprop dot orgs>
Decklin Foster <decklin at the red-bean dot coms>
Cameron Matheson <cam+sup at the cammunism dot orgs>
-Carl Worth <cworth at the cworth dot orgs>
Alex Vandiver <alex at the chmrr dot nets>
-Jeff Balogh <its.jeff.balogh at the gmail dot coms>
+Carl Worth <cworth at the cworth dot orgs>
Andrew Pimlott <andrew at the pimlott dot nets>
+Jeff Balogh <its.jeff.balogh at the gmail dot coms>
Matías Aguirre <matiasaguirre at the gmail dot coms>
Kornilios Kourtis <kkourt at the cslab.ece.ntua dot grs>
-Kevin Riggle <kevinr at the free-dissociation dot coms>
Giorgio Lando <patroclo7 at the gmail dot coms>
+Kevin Riggle <kevinr at the free-dissociation dot coms>
Benoît PIERRE <benoit.pierre at the gmail dot coms>
-Alvaro Herrera <alvherre at the alvh.no-ip dot orgs>
Steven Lawrance <stl at the koffein dot nets>
+Alvaro Herrera <alvherre at the alvh.no-ip dot orgs>
Jonah <Jonah at the GoodCoffee dot cas>
ian <itaylor at the uark dot edus>
+Per Andersson <avtobiff at the gmail dot coms>
Adam Lloyd <adam at the alloy-d dot nets>
Todd Eisenberger <teisenbe at the andrew.cmu dot edus>
Gregor Hoffleit <gregor at the sam.mediasupervision dot des>
MichaelRevell <mikearevell at the gmail dot coms>
-Per Andersson <avtobiff at the gmail dot coms>
Steven Walter <swalter at the monarch.(none)>
-Matthias Vallentin <vallentin at the icir dot orgs>
-Jon M. Dugan <jdugan at the es dot nets>
Stefan Lundström <lundst at the snabb.(none)>
Horacio Sanson <horacio at the skillupjapan.co dot jps>
+Jon M. Dugan <jdugan at the es dot nets>
+akojo <atte.kojo at the gmail dot coms>
+Matthias Vallentin <vallentin at the icir dot orgs>
Kirill Smelkov <kirr at the landau.phys.spbu dot rus>
diff --git a/History.txt b/History.txt
@@ -45,8 +45,9 @@
* Tempfiles for attachments are persistent through the sup process to
ensure that spawned processes have access to them.
-* Fix incorrect use of Shellwords.escape to better prevent remote
- command injection.
+== 0.13.2.1 / 2013-10-29
+
+* SBU1: security release
== 0.14.1 / 2013-08-31
diff --git a/ReleaseNotes b/ReleaseNotes
@@ -10,6 +10,28 @@ Shellwords.escape was used somewhat incorrectly which still allowed a
potential remote command injection, please make sure your mime-view/mime-decode
hooks have been updated (see wiki).
+Release 0.13.2.1:
+
+Security advisory (#SBU1) for Sup
+
+We have been notified of an potential exploit in the somewhat careless
+way Sup treats attachment metadata in received e-mails. The issues
+should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
+incorporates these fixes. Please upgrade immediately and also ensure
+that your mime-decode or mime-view hooks are secure [0], [1].
+
+This is specifically related to using quotes (',") around filename or
+content_type which is already escaped using Ruby Shellwords.escape -
+this means that the string (content_type, filename) is intended to be
+used _without_ any further quotes. Please make sure that if you use
+.mailcap (non OSX systems), you do not quote the string.
+
+Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
+discovered and suggested fixes for these issues.
+
+[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
+[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
+
Release 0.14.1:
Service release to 0.14.0 plus a predefined 'All mail' search.