Bumps mail from 2.5.4 to 2.5.5. This update includes security fixes.
Vulnerabilities fixed
> **SMTP command injection**
> Because Mail does not disallow CRLF in email addresses, an attacker can
> inject SMTP commands in specially crafted email addresses passed to
> RCPT TO and MAIL FROM.
>
> Not affected by this vulnerability:
> * Ruby 2.4.0+ with a fix for CVE-2015-9096.
> * Applications that do not use SMTP delivery.
> * Applications that validate email addresses to not include CRLF.
>
> The injection attack is described in Terada, Takeshi. "SMTP Injection via
> Recipient Email Addresses." 2015. The attacks described in the paper
> (Terada, p. 4) can be applied to the library without any modification.
>
> Patched versions: [">= 2.5.5"]
> Unaffected versions: []
Changelog
*Sourced from mail's [changelog](https://github.com/mikel/mail/blob/master/CHANGELOG.rdoc).*
> == Version 2.8.0 (unreleased)
>
> Breaking changes:
> * Message#without_attachments! now deletes nested attachments. (TylerRick)
> * Sendmail and exim delivery now raise DeliveryError when the command exits with a nonzero exitstatus. (benmmurphy, CoolElvis)
> * Sendmail and exim delivery :arguments option must be an array of string args. (benmmurphy)
> * Passing unparsed headers to Mail::Field.new is no longer supported. Use Mail::Field.parse. (jeremy)
> * Removed long-deprecated features: Message#register_for_delivery_notification, #has_transfer_encoding?, #add_transfer_encoding, #transfer_encoding, #message_content_type, #mime_parameters, #encode!, and Part#inline_content_id. (jeremy)
>
> Compatibility:
> * Handle a wide variety of non-RFC Message-ID formats. (peterkovacs)
> * Gracefully parse invalid dates in Date and Received headers. (okkez)
> * Converting to multipart moves Content-* headers to the new part. (kirikak2)
> * Multipart Content-Type no longer includes a needless charset param. (kirikak2)
> * Replies prefix subject with "Re: " instead of "RE: " per 5322 3.6.5. (mashedcode)
>
> Features:
> * Message#inspect_structure and PartsList#inspect_structure pretty-print the hierarchy of message parts. (TylerRick)
>
>
> Please check [2-7-stable](https://github.com/mikel/mail/blob/2-7-stable/CHANGELOG.rdoc) for previous changes.
Commits
- [`97a8548`](https://github.com/mikel/mail/commit/97a85482c6fa2ea8284c4f95aa98e435fb2ec2d1) 2.5.5 release
- [`63fb41b`](https://github.com/mikel/mail/commit/63fb41b6382139d3926fa575acfa4021b8092815) Always use an SSL context. [Fixes #548]
- [`f84b84d`](https://github.com/mikel/mail/commit/f84b84dfe5274f57a6b4fc14511cd45b1fd717eb) Specs: fix missing should_receive from f60ccc660434d445b78e8281833c99048a00de20
- [`f60ccc6`](https://github.com/mikel/mail/commit/f60ccc660434d445b78e8281833c99048a00de20) Fix Mail::Exim, forgotten in 4875bc2b
- [`527067d`](https://github.com/mikel/mail/commit/527067d226a44be475855b71dee96e2b7edfdc0f) Gemfile: no rdoc 5 on Ruby 1.9.2
- [`396d39f`](https://github.com/mikel/mail/commit/396d39f5639f6003f588e4eb8eb3e5dc6601bd84) Clamp down allowed gem versions depending on Ruby version supported
- [`b9cee02`](https://github.com/mikel/mail/commit/b9cee0256e6d4068b18020c54cd23e1498f7d5e6) Specs: fix expect-style that wasn't backported to old should-style
- [`b5a2884`](https://github.com/mikel/mail/commit/b5a2884823c20fbd74a2e407dbbd8e42e3748549) Backport fixes for specs on Ruby 1.9.3+
- [`6110413`](https://github.com/mikel/mail/commit/611041343537ddfabd728b6e65731ad5c7d33005) Fix tested Ruby versions in README
- [`ddc85ed`](https://github.com/mikel/mail/commit/ddc85edb6c86e112de69147622a78e5d1a17b345) use latest ruby version in CI
- Additional commits viewable in [compare view](https://github.com/mikel/mail/compare/2.5.4...2.5.5)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps mail from 2.5.4 to 2.5.5. This update includes security fixes.
Vulnerabilities fixed
> **SMTP command injection** > Because Mail does not disallow CRLF in email addresses, an attacker can > inject SMTP commands in specially crafted email addresses passed to > RCPT TO and MAIL FROM. > > Not affected by this vulnerability: > * Ruby 2.4.0+ with a fix for CVE-2015-9096. > * Applications that do not use SMTP delivery. > * Applications that validate email addresses to not include CRLF. > > The injection attack is described in Terada, Takeshi. "SMTP Injection via > Recipient Email Addresses." 2015. The attacks described in the paper > (Terada, p. 4) can be applied to the library without any modification. > > Patched versions: [">= 2.5.5"] > Unaffected versions: []Changelog
*Sourced from mail's [changelog](https://github.com/mikel/mail/blob/master/CHANGELOG.rdoc).* > == Version 2.8.0 (unreleased) > > Breaking changes: > * Message#without_attachments! now deletes nested attachments. (TylerRick) > * Sendmail and exim delivery now raise DeliveryError when the command exits with a nonzero exitstatus. (benmmurphy, CoolElvis) > * Sendmail and exim delivery :arguments option must be an array of string args. (benmmurphy) > * Passing unparsed headers to Mail::Field.new is no longer supported. Use Mail::Field.parse. (jeremy) > * Removed long-deprecated features: Message#register_for_delivery_notification, #has_transfer_encoding?, #add_transfer_encoding, #transfer_encoding, #message_content_type, #mime_parameters, #encode!, and Part#inline_content_id. (jeremy) > > Compatibility: > * Handle a wide variety of non-RFC Message-ID formats. (peterkovacs) > * Gracefully parse invalid dates in Date and Received headers. (okkez) > * Converting to multipart moves Content-* headers to the new part. (kirikak2) > * Multipart Content-Type no longer includes a needless charset param. (kirikak2) > * Replies prefix subject with "Re: " instead of "RE: " per 5322 3.6.5. (mashedcode) > > Features: > * Message#inspect_structure and PartsList#inspect_structure pretty-print the hierarchy of message parts. (TylerRick) > > > Please check [2-7-stable](https://github.com/mikel/mail/blob/2-7-stable/CHANGELOG.rdoc) for previous changes.Commits
- [`97a8548`](https://github.com/mikel/mail/commit/97a85482c6fa2ea8284c4f95aa98e435fb2ec2d1) 2.5.5 release - [`63fb41b`](https://github.com/mikel/mail/commit/63fb41b6382139d3926fa575acfa4021b8092815) Always use an SSL context. [Fixes #548] - [`f84b84d`](https://github.com/mikel/mail/commit/f84b84dfe5274f57a6b4fc14511cd45b1fd717eb) Specs: fix missing should_receive from f60ccc660434d445b78e8281833c99048a00de20 - [`f60ccc6`](https://github.com/mikel/mail/commit/f60ccc660434d445b78e8281833c99048a00de20) Fix Mail::Exim, forgotten in 4875bc2b - [`527067d`](https://github.com/mikel/mail/commit/527067d226a44be475855b71dee96e2b7edfdc0f) Gemfile: no rdoc 5 on Ruby 1.9.2 - [`396d39f`](https://github.com/mikel/mail/commit/396d39f5639f6003f588e4eb8eb3e5dc6601bd84) Clamp down allowed gem versions depending on Ruby version supported - [`b9cee02`](https://github.com/mikel/mail/commit/b9cee0256e6d4068b18020c54cd23e1498f7d5e6) Specs: fix expect-style that wasn't backported to old should-style - [`b5a2884`](https://github.com/mikel/mail/commit/b5a2884823c20fbd74a2e407dbbd8e42e3748549) Backport fixes for specs on Ruby 1.9.3+ - [`6110413`](https://github.com/mikel/mail/commit/611041343537ddfabd728b6e65731ad5c7d33005) Fix tested Ruby versions in README - [`ddc85ed`](https://github.com/mikel/mail/commit/ddc85edb6c86e112de69147622a78e5d1a17b345) use latest ruby version in CI - Additional commits viewable in [compare view](https://github.com/mikel/mail/compare/2.5.4...2.5.5)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.