b4 v0.7.3 is available

b4 v0.7.3 is available

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 1691 bytes --]

Hello, all:

B4 stable release 0.7.3 is now available. This is a bugfix release that
addresses a few corner-cases and fixes a security issue:

- when using "b4 mbox" with messages containing malicious message-ids, b4
  0.7.2 and earlier could potentially overwrite arbitrary file contents if the
  message-id contains path escape characters such as "." and "/". It would be
  difficult to exploit this with a meaningful result, as "b4 mbox" always
  saves raw rfc2822 messages, containing full email headers. This problem does
  not manifest when using "b4 am" or other subcommands as sanitization was
  already applied to generated filenames.

Additional fixes in this release:

- Fixes "b4 am --guess-base" (though a much better implementation is in master)
- Ignores any trailer-like content below standard signature marker "-- "
- Fixes a crash when a header is incorrectly qp-encoded
- Fixes a crash when user locale is not utf-8 and a message is passed on stdin

Everyone must upgrade.

To upgrade, run:

    pip install --upgrade b4

Or simply update to the latest git if using straight from a checkout.

---

Special thanks in this release:

- Kyle Meyer
- Rob Herring
- Uwe Kleine-König

Shortlog:

Konstantin Ryabitsev (6):
      Up version to 0.7.3-dev
      Don't append .git unnecessarily
      Sanitize msgid before using it as savename
      Don't consider signature contents for trailers
      Handle decoding incorrectly encoded headers
      Prepare for 0.7.3 release

Kyle Meyer (1):
      Avoid decoding errors when extracting message ID from stdin

Rob Herring (1):
      Allow '.git' to be a file for worktrees

-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]