the mail gem is a dependency of TaskJuggler. If you are using the
timesheet/statusheet automation features, you are affected by this
mail security vulnerability. First tests have not revealed any
compatibility issues, so an immediate upgrade to mail 2.4.3 is
recommended.
Chris
---------- Forwarded message ----------
From: Mikel Lindsaar <raas...@gmail.com>
Date: Tue, Mar 6, 2012 at 9:55 AM
Subject: [ruby-mail] Security Vulnerability in Exim and Sendmail support
To: Ruby's Mail Discussion Group <mail...@googlegroups.com>
VERSIONS AFFECTED: Mail gem 2.3.0 and 2.4.1 or earlier
SYSTEMS AFFECTED: Those using sendmail or exim for mail delivery
FIXED VERSIONS: 2.3.2 or 2.4.3 or higher
Details:
There is a security vulnerability in Mail versions 2.3.0 and 2.4.1 or
earlier that allowed an attacker to pass in an email that could
execute commands on the host system.
This was previously fixed, but was broken in a regression.
A spec has been added to prevent this regression from happening again.
All users of mail who use 2.3 or 2.4 should update immediately to at
least version 2.3.2 and 2.4.3
Thanks.
Mikel Lindsaar