[sup-talk] Security advisory, releases 0.13.2.1 and 0.14.1.1
eg at gaute.vetsj.com
Tue Oct 29 10:54:58 UTC 2013
Security advisory (#SBU1) for Sup
We have been notified of an potential exploit in the somewhat careless
way Sup treats attachment metadata in received e-mails. The issues
should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
incorporates these fixes. Please upgrade immediately and also ensure
that your mime-decode or mime-view hooks are secure , .
This is specifically related to using quotes (',") around filename or
content_type which is already escaped using Ruby Shellwords.escape -
this means that the string (content_type, filename) is intended to be
used _without_ any further quotes. Please make sure that if you use
.mailcap (non OSX systems), you do not quote the string.
Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
discovered and suggested fixes for these issues.
You can use 'gem' to upgrade or install sup. Please report any issues
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the sup-talk