* b4 v0.7.3 is available
@ 2021-08-13 15:01 Konstantin Ryabitsev
0 siblings, 0 replies; only message in thread
From: Konstantin Ryabitsev @ 2021-08-13 15:01 UTC (permalink / raw)
To: tools, users
[-- Attachment #1: Type: text/plain, Size: 1691 bytes --]
Hello, all:
B4 stable release 0.7.3 is now available. This is a bugfix release that
addresses a few corner-cases and fixes a security issue:
- when using "b4 mbox" with messages containing malicious message-ids, b4
0.7.2 and earlier could potentially overwrite arbitrary file contents if the
message-id contains path escape characters such as "." and "/". It would be
difficult to exploit this with a meaningful result, as "b4 mbox" always
saves raw rfc2822 messages, containing full email headers. This problem does
not manifest when using "b4 am" or other subcommands as sanitization was
already applied to generated filenames.
Additional fixes in this release:
- Fixes "b4 am --guess-base" (though a much better implementation is in master)
- Ignores any trailer-like content below standard signature marker "-- "
- Fixes a crash when a header is incorrectly qp-encoded
- Fixes a crash when user locale is not utf-8 and a message is passed on stdin
Everyone must upgrade.
To upgrade, run:
pip install --upgrade b4
Or simply update to the latest git if using straight from a checkout.
---
Special thanks in this release:
- Kyle Meyer
- Rob Herring
- Uwe Kleine-König
Shortlog:
Konstantin Ryabitsev (6):
Up version to 0.7.3-dev
Don't append .git unnecessarily
Sanitize msgid before using it as savename
Don't consider signature contents for trailers
Handle decoding incorrectly encoded headers
Prepare for 0.7.3 release
Kyle Meyer (1):
Avoid decoding errors when extracting message ID from stdin
Rob Herring (1):
Allow '.git' to be a file for worktrees
-K
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-13 15:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-13 15:01 b4 v0.7.3 is available Konstantin Ryabitsev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).