[Security-Update] claws-mail 3.3.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Security-Update] claws-mail 3.3.1

Ulrich Kahl
Hi!

This diff updates claws-mail to version 3.3.1

The most important change is this:

- Forbid attaching anything containing "../" or ".ssh/" in mailto: URIs.

Since it is security related, I think it should go in, but YMMV.

complete changelog: <http://www.claws-mail.org/news.php>

Don't know if this version change affects external plugins,
claws-mail-notification only needed to be recompiled.

        Ulrich

claws-mail.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Security-Update] claws-mail 3.3.1

Pierre-Emmanuel André
Le Mon, 25 Feb 2008 11:33:40 +0100,
Ulrich Kahl <[hidden email]> a écrit :

> Hi!
>
> This diff updates claws-mail to version 3.3.1
>
> The most important change is this:
>
> - Forbid attaching anything containing "../" or ".ssh/" in mailto:
> URIs.
>
> Since it is security related, I think it should go in, but YMMV.
>
> complete changelog: <http://www.claws-mail.org/news.php>
>
> Don't know if this version change affects external plugins,
> claws-mail-notification only needed to be recompiled.
>
> Ulrich

Hi,

Builds and works fine on @i386 with ldap-flavor.
Claws-mail-cachesaver only needs to be recompiled.

Regards,

Pea

Reply | Threaded
Open this post in threaded view
|

Re: [Security-Update] claws-mail 3.3.1

Landry Breuil-3
In reply to this post by Ulrich Kahl
On Mon, Feb 25, 2008 at 11:33:40AM +0100, Ulrich Kahl wrote:

> Hi!
>
> This diff updates claws-mail to version 3.3.1
>
> The most important change is this:
>
> - Forbid attaching anything containing "../" or ".ssh/" in mailto: URIs.
>
> Since it is security related, I think it should go in, but YMMV.
>
> complete changelog: <http://www.claws-mail.org/news.php>
>
> Don't know if this version change affects external plugins,
> claws-mail-notification only needed to be recompiled.

I'm taking care of this, thanks a lot !

Landry

Reply | Threaded
Open this post in threaded view
|

Re: [Security-Update] claws-mail 3.3.1

Antoine Jacoutot
In reply to this post by Ulrich Kahl
On Mon, 25 Feb 2008, Ulrich Kahl wrote:
> The most important change is this:
>
> - Forbid attaching anything containing "../" or ".ssh/" in mailto: URIs.
>
> Since it is security related, I think it should go in, but YMMV.

How is it security related?

I don't see any security fix mentioned here (or am I looking in the
wrong place?):
http://www.claws-mail.org/news.php

--
Antoine