* Security advisory, releases 0.13.2.1 and 0.14.1.1
@ 2013-10-29 10:54 Gaute Hope
0 siblings, 0 replies; only message in thread
From: Gaute Hope @ 2013-10-29 10:54 UTC (permalink / raw)
To: sup-talk, sup-devel
[-- Attachment #1: Type: text/plain, Size: 1137 bytes --]
Greetings,
Security advisory (#SBU1) for Sup
We have been notified of an potential exploit in the somewhat careless
way Sup treats attachment metadata in received e-mails. The issues
should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
incorporates these fixes. Please upgrade immediately and also ensure
that your mime-decode or mime-view hooks are secure [0], [1].
This is specifically related to using quotes (',") around filename or
content_type which is already escaped using Ruby Shellwords.escape -
this means that the string (content_type, filename) is intended to be
used _without_ any further quotes. Please make sure that if you use
.mailcap (non OSX systems), you do not quote the string.
Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
discovered and suggested fixes for these issues.
[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
You can use 'gem' to upgrade or install sup. Please report any issues
to: https://github.com/sup-heliotrope/sup/issues
Regards, Gaute
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-10-29 10:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-29 10:54 Security advisory, releases 0.13.2.1 and 0.14.1.1 Gaute Hope
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox