This release includes two important security fixes, so upgrading is recommended.
This is a security release which addresses two separate moderate security advisories (see below). A huge thanks to the security researchers (@omarkurt & @mdisec) who reported this issue responsibly.
The release also includes a few bug fixes, dependency updates, and test improvements.
Security
- Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
- Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Chore
- Fix formatting and update reporting instructions in SECURITY.md (#614)
- Allow
@character in message tags & set max length to 100 characters per tag - Update Go dependencies
- Update node dependencies
Fix
- Correctly render default addresses in release modal after settings change (#594)
- Correctly detect macOS group in install.sh (#619)
- Auto-tagging using SMTP username using plain auth (#617)
- Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)
Test
- Update tag tests with length limits and
@character - Add SMTP tests for RFC 5322 address compliance and header injection
- Add maximum email length validation tests - RFC5321 (section 4.5.3.1)