ReleaseNotes in sup-0.13.2 vs ReleaseNotes in sup-0.13.2.1

- old
+ new

@@ -1,4 +1,27 @@ +Release 0.13.2.1: + +Security advisory (#SBU1) for Sup + +We have been notified of an potential exploit in the somewhat careless +way Sup treats attachment metadata in received e-mails. The issues +should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which +incorporates these fixes. Please upgrade immediately and also ensure +that your mime-decode or mime-view hooks are secure [0], [1]. + +This is specifically related to using quotes (',") around filename or +content_type which is already escaped using Ruby Shellwords.escape - +this means that the string (content_type, filename) is intended to be +used _without_ any further quotes. Please make sure that if you use +.mailcap (non OSX systems), you do not quote the string. + +Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who +discovered and suggested fixes for these issues. + +[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments +[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup + + Release 0.13.2: FreeBSD compatability and more thread safe polling. Release 0.13.1: