[DRE-maint] Bug#728232: sup-mail: remote command injection in content_type
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 30 05:25:39 UTC 2013
Control: retitle -1 sup-mail: CVE-2013-4478 and CVE-2013-4479
Actually I was not correct, there should be two issues:
CVE-2013-4478: For the issue specifically covered in
http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt which
is
https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785
(security: shellwords escape attachment file names to prevent remote
code execution).
CVE-2013-4479:
https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42
(security: prevent remote command injection in content_type)
See http://www.openwall.com/lists/oss-security/2013/10/30/2 for the
correction of this.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list