Skip to content

v0.4.24

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Apr 22:19
· 577 commits to master since this release
v0.4.24
This tag was signed with the committer’s verified signature. The key has expired.
nevans nicholas a. evans
GPG key ID: E91DC1DCA3CD03DF
Expired
Verified
Learn about vigilant mode.
24a4e77
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Important

The 0.4.x release branch will only receive critical security fixes, and will be unsupported when ruby 3.3 is EOL.
Please upgrade to a newer version.

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Warning

#666 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp).
Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Important

Argument validation is significantly improved. Several injection vulnerabilities have been fixed:
#663 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px).
#663 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg)
#663 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg).
#663 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

  • #search and #uid_search send criteria as raw data, when it is a String
  • #fetch and #uid_fetch send attr as raw data, when it is a String.
    When attr is an Array, its String members are sent as raw data.

Caution

RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

Note

Two denial of service vulnerabilities have been addressed.
These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

#651 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw).
#655 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Added

Fixed

Other Changes

Full Changelog: v0.4.23...v0.4.24

Contributors

nevans, manunio, and Masamuneee
Assets 2
Loading
0 Join discussion