[ruby-core:121782] [Ruby Bug#21297] Update net-imap for ruby 3.2, 3.3, 3.4
Issue #21297 has been reported by nevans (Nicholas Evans). ---------------------------------------- Bug #21297: Update net-imap for ruby 3.2, 3.3, 3.4 https://bugs.ruby-lang.org/issues/21297 * Author: nevans (Nicholas Evans) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- The bundled `net-imap` versions are vulnerable to CVE-2025-43857 (GHSA-j3g3-5qv5-52mj). This vulnerability does not affect securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). Fixing the issue requires upgrading to [v0.2.5], [v0.3.9], [v0.4.20], or [v0.5.7]. * ruby 3.2.8 bundles net-imap v0.3.8 PR: Bump net-imap to 0.3.9 for Ruby 3.2 https://github.com/ruby/ruby/pull/13213 * ruby 3.3.8 bundles net-imap v0.4.19 PR: Bump net-imap to 0.4.21 for Ruby 3.3 https://github.com/ruby/ruby/pull/13214 * ruby 3.4.3 bundles net-imap v0.5.6 PR: Bump net-imap to v0.5.8 for Ruby 3.4 https://github.com/ruby/ruby/pull/13215 I didn't have a release ready in time to be bundled with the final version of ruby 3.1, so I haven't created a PR for [v0.2.5]. The workaround is to uninstall the vulnerable bundled versions and `gem install net-imap`. Security Advisory Links: * https://www.cve.org/CVERecord?id=CVE-2025-43857 * https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj [v0.2.5]: https://github.com/ruby/net-imap/releases/tag/v0.2.5 [v0.3.9]: https://github.com/ruby/net-imap/releases/tag/v0.3.9 [v0.4.20]: https://github.com/ruby/net-imap/releases/tag/v0.4.20 [v0.5.7]: https://github.com/ruby/net-imap/releases/tag/v0.5.7 -- https://bugs.ruby-lang.org/
Issue #21297 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.2: DONE, 3.3: REQUIRED, 3.4: DONE to 3.2: DONE, 3.3: DONE, 3.4: DONE ruby_3_3: merged at commit:74f46982ebfbec4d21b6fc8aff47f2e290307d36. ---------------------------------------- Bug #21297: Update net-imap for ruby 3.2, 3.3, 3.4 https://bugs.ruby-lang.org/issues/21297#change-113328 * Author: nevans (Nicholas Evans) * Status: Closed * Backport: 3.2: DONE, 3.3: DONE, 3.4: DONE ---------------------------------------- The bundled `net-imap` versions are vulnerable to CVE-2025-43857 (GHSA-j3g3-5qv5-52mj). This vulnerability does not affect securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). Fixing the issue requires upgrading to [v0.2.5], [v0.3.9], [v0.4.20], or [v0.5.7]. * ruby 3.2.8 bundles net-imap v0.3.8 PR: Bump net-imap to 0.3.9 for Ruby 3.2 https://github.com/ruby/ruby/pull/13213 * ruby 3.3.8 bundles net-imap v0.4.19 PR: Bump net-imap to 0.4.21 for Ruby 3.3 https://github.com/ruby/ruby/pull/13214 * ruby 3.4.3 bundles net-imap v0.5.6 PR: Bump net-imap to v0.5.8 for Ruby 3.4 https://github.com/ruby/ruby/pull/13215 I didn't have a release ready in time to be bundled with the final version of ruby 3.1, so I haven't created a PR for [v0.2.5]. [v0.4.21] and [v0.5.8] are primarily bug fixes, so my PRs for ruby 3.3 and 3.4 upgrade to those versions. The workaround is to uninstall the vulnerable bundled versions and `gem install net-imap`. Security Advisory Links: * https://www.cve.org/CVERecord?id=CVE-2025-43857 * https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj [v0.2.5]: https://github.com/ruby/net-imap/releases/tag/v0.2.5 [v0.3.9]: https://github.com/ruby/net-imap/releases/tag/v0.3.9 [v0.4.20]: https://github.com/ruby/net-imap/releases/tag/v0.4.20 [v0.4.21]: https://github.com/ruby/net-imap/releases/tag/v0.4.21 [v0.5.7]: https://github.com/ruby/net-imap/releases/tag/v0.5.7 [v0.5.8]: https://github.com/ruby/net-imap/releases/tag/v0.5.8 -- https://bugs.ruby-lang.org/
participants (2)
-
nagachika (Tomoyuki Chikanaga) -
nevans (Nicholas Evans)