Hello list, this is a subminor release to address CVEs 2004-2771 and 2014-7844 [1].
These CVEs address decade old documented behaviour that was supposed to be classifieable under "feature" rather than "bug": it is possible to use file and pipe addresses, as in "./out.mbox" or "|cat > out.mbox" and have the mail delivered accordingly. They enforce a new option *expandaddr*, unset by default, which specifies wether such special addresses shall be supported or not. [1] http://seclists.org/oss-sec/2014/q4/1066 While having a need to update, ship a little bit more. (I've initially planned to release v14.8 before christmas, but now i think this will be delayed a few weeks, leaving more time to write missing tests for new features and add some more of the latter. And yes, i have to add address checks for the new mailing-list handling code.) The release tarballs can be downloaded (e.g., via 'curl -vv -L') from, and their checksums are: <https://downloads.sourceforge.net/project/s-nail/s-nail-14_7_9.tar.xz> MD5 = e30503d8e1ef39c92f3ef950088cd6eb SHA1 = acca067ca17fbc1a2079b323a85b2c2522489ed1 SHA256 = ef55d0f8715985acc8637d918f76a15edfee5b4febb3550bbf2f93cb4e6dc01b <https://downloads.sourceforge.net/project/s-nail/s-nail-14_7_9.tar.gz> MD5 = 66d8620841ace0f3f17063443cc74bc3 SHA1 = bde5e70c5a45e318b94f7ca31a075fe0fe7624ad SHA256 = 7bef8ce7f19fcfaf895fa8acbf6c9a20571dcbb1bc323104e0273547f449de51 Online manual: <http://sdaoden.users.sourceforge.net/code-nail.html> [Web site : <http://sdaoden.users.sourceforge.net/code.html#s-nail>] (Note that Sourceforge doesn't allow updates at the moment. I'll try again tomorrow.) git(1) repo : <git.code.sf.net/p/s-nail/code> (git:// or http://) git(1) browse: <http://sourceforge.net/p/s-nail/code/> The complete changelog of commits in between two versions can be inspected by using the git(1) `log' command as shown below, where `OLD' and `NEW' are the two versions to be compared, e.g., v14.7.8 and v14.7.9: # All commits: $ git log --reverse --topo-order --abbrev-commit OLD..NEW # Only topic branch headers (--no-merges for content commits only): $ git log --oneline --reverse --topo-order --merges OLD..NEW # Same, but truly accessible: $ git log --oneline --reverse --topo-order --merges --parents OLD..NEW | while read c1 c2 c3 c4 c5 c6; do printf "%-24s: \$ git log --oneline --no-merges ${c1} ^${c2}\n" "${c6}"; done I'll only post the news for v14.7.9, please see the file NEWS for a more complete picture. v14.7.9, 2014-12-17 ------------------- Thanks to Jürgen Daubert and Peter Hofmann. [1] http://seclists.org/oss-sec/2014/q4/1066 ChangeLog ^^^^^^^^^ - In -v / *verbose* mode SSL/TLS certificate date and time information will be printed; until now we only supported UTC times which could result in false messages stating that the datetime is bogus. [16ef155] result in false messages stating that the datetime is bogus. [16ef155] - *netrc-lookup* could have matched ambiguous entries. [debbf98] - *sendmail-arguments* works without requiring a user to "allocate" more destination space by adding space characters to the string. [1c7daaf] - Always terminate MTA option processing with "--". Part of addressing the CVEs as above: prevent system-wide aliases that start with a hyphen to be interpreted as arguments to the MTA. [597249b] - New value: *expandaddr*, as above. Extending the CVE S-nail's *expandaddr* can be set to the value "restrict" in which case even a set *expandaddr* doesn't enable file and pipe addresses in non-interactive mode unless -~ or -# command line options were given. [ba8c596] - fio.c:_globname(): use WRDE_NOCMD if available. Part of addressing the CVEs as above: prevent command substitutions when expand() strings (mailbox names). [7c7134b] - Drop the "line" statistics counter that could be seen when `copy'ing or `save'ing messages, only keep the "byte" counter. The former was a lie since it counted the lines of the source- rather than of the destination message. Bug introduced on 2007-07-16 (in [670ea1c]). We'll reintroduce correct statistics once we can generate them. Could crash S-nail because it assumed false (readonly) buffer sizes. I give the credit to Peter Hofmann since i think this is why he insisted on very long, soft-newline continued quoted-printable lines back in the day. Wasn't seen since the stdio buffer sizes on practically all operating systems are pretty large, and the access in the buffers was read-only (so no canary cheep). [effb676] - Until now blocks inside of `if' etc. were evaluated (as noops) even if the conditional block was as such a noop. Therefore non-existing commands etc. would have been recognized as errors. From now on this is no longer true. [c41d564, dc15be6] - `ghost's can now defined without quoting. [f183818] E.g.: -? ghost ls '!ls -latro' +? ghost ls !ls -Flatr Have fun, and Ciao! --steffen ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ S-nail-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/s-nail-users
