commit e1a2076133b36f6d565441f16bfbd2c026ac7752
parent b88e31fc09fdaef84f6e6be8deea182a9690e61b
Author: Gaute Hope <eg@gaute.vetsj.com>
Date: Tue, 29 Oct 2013 11:22:16 +0100
Merge notes from 0.13.2.1, release notes from 0.14.1.1
Conflicts:
lib/sup/version.rb
Conflicts:
CONTRIBUTORS
History.txt
ReleaseNotes
Conflicts:
History.txt
ReleaseNotes
Diffstat:
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/History.txt b/History.txt
@@ -1,3 +1,13 @@
+== 0.14.1.1 / 2013-10-29
+
+* SBU1: security release
+* Tempfiles for attachments are persistent through the sup process to
+ ensure that spawned processes have access to them.
+
+== 0.13.2.1 / 2013-10-29
+
+* SBU1: security release
+
== 0.14.1 / 2013-08-31
* Various bugfixes.
diff --git a/ReleaseNotes b/ReleaseNotes
@@ -1,3 +1,29 @@
+Release 0.14.1.1:
+
+See 0.13.2.1.
+
+Release 0.13.2.1:
+
+Security advisory (#SBU1) for Sup
+
+We have been notified of an potential exploit in the somewhat careless
+way Sup treats attachment metadata in received e-mails. The issues
+should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
+incorporates these fixes. Please upgrade immediately and also ensure
+that your mime-decode or mime-view hooks are secure [0], [1].
+
+This is specifically related to using quotes (',") around filename or
+content_type which is already escaped using Ruby Shellwords.escape -
+this means that the string (content_type, filename) is intended to be
+used _without_ any further quotes. Please make sure that if you use
+.mailcap (non OSX systems), you do not quote the string.
+
+Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
+discovered and suggested fixes for these issues.
+
+[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
+[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
+
Release 0.14.1:
Service release to 0.14.0 plus a predefined 'All mail' search.
diff --git a/lib/sup/version.rb b/lib/sup/version.rb
@@ -1,3 +1,3 @@
module Redwood
- VERSION = "0.14.1"
+ VERSION = "git"
end