Topic: Security update: 0.4.7

A new version dues to a (small) security problem, who come with smalls improvents smile.

Many users ask for a support of FireFox 3. We will support at last when the final version will be relased, before if we have the time ^^
Bugs :

    * Fixed a (small) security problem (reported by Roee Hay, IBM).

FireGPG (tested on 0.4.6) suffers from a Cross-Site-Scripting flaw affecting gmail.

Normally, After FireGPG automatically verifies signed mails in Gmail, it prints the public key issuer name underneath the mail message (i.e: "Good sign from Roee Hay  (made the 2007 17:26:52)".

However, the issuer name is not sanitized or verified, a fact which leads to an XSS vulnerability. If the issuer name contains a malicious javascript (e.g: "<script> [XSS_PAYLOAD] </script>"), it will be executed under Gmail's context, thus giving the attacker an opportunity to steal the victim's cookies, mail and so on. It can be exploited by sending the victim a signed message and convincing him to add your malicious public key.

* Fixed a problem with the mail autodetect system.

Functionalities :

    * Improve performances with gmail
    * Patch of tjm1983 applied, who improve signs for old gmail's version.

Locales :

    * English corrections from Sebastien Wains

Misc :

    * Change the system for upgrades or installs (this page ^^)

Re: Security update: 0.4.7

More info regarding the security issue can be found at … 6-gma.html