Skip to content

v0.6.4

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Apr 21:55
· 4 commits to master since this release
v0.6.4
This tag was signed with the committer’s verified signature. The key has expired.
nevans nicholas a. evans
GPG key ID: E91DC1DCA3CD03DF
Expired
Verified
Learn about vigilant mode.
3e49067

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Warning

#664 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp).
Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Important

Argument validation is significantly improved. Several injection vulnerabilities have been fixed:
#657 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px).
#658 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg)
#659 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg).
#660 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

  • #search and #uid_search send criteria as raw data, when it is a String
  • #fetch and #uid_fetch send attr as raw data, when it is a String.
    When attr is an Array, its String members are sent as raw data.

Caution

RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

Note

Two denial of service vulnerabilities have been addressed.
These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

#642 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw).
#654 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Breaking Changes

  • ResponseReader memoizes Config#max_response_size in #642.
    Changes to #max_response_size now take effect once per response, not on every IO#read.
    NOTE: It is not expected that this will affect any current usage. See the PR for details.

Added

  • ✨ Support BINARY extention to #append (RFC3516) by @nevans in #616
  • ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) by @nevans in #649
  • 🔒 Add ScramAuthenticator#max_iterations by @nevans in #654
  • 🏷️ Add number64 and nz-number64 to NumValidator by @nevans in #625
  • ♻️ Add MailboxQuota#quota_root alias by @nevans in #636
  • 🔍 Simplify Net::IMAP#inspect with basic state by @nevans in #612
  • 🥅 Add ResponseParseError#parser_methods (and override #==) by @nevans in #615

Fixed

  • 🔒 Fix STARTTLS stripping vulnerability in #664, reported by @Masamuneee
  • Argument validation, reported by @manunio
    • 🔒️ Strictly validate symbol (\flag) arguments in #657
    • 🔒️ Validate and send STORE attr as an atom in #658
    • 🔒 Validate #setquota storage limit argument in #659
    • 🔒 Validate RawData for CRLF injection in #660
    • 📚 Improve documentation of RawData arguments in #661
  • ⚡ Much faster ResponseReader performance by @nevans in #642
  • 🥅 Successfully parse invalid response code data by @nevans in #614
  • Fix JRuby SSL connection failure: use SSLContext#setup instead of #freeze by @idahomst in #627
  • 🐛 Fix InvalidResponseError in #get_tagged_response by @nevans in #633
  • Pass an Exception to #raise by @eregon in #643
  • 🐛 Fix empty SearchResult#to_sequence_set in #644, reported by @Quintasan
  • 🐛 Wait to continue RawData literals by @nevans in #660

Documentation

  • 📚 Fix rdoc 7.2 compatibility (section bugfix) by @nevans in #617
  • 📚 Switch back to rdoc's darkfish generator (🚧TMP) by @nevans in #618
  • 📚 Use .document and .rdoc_options files, where possible by @nevans in #619
  • Update README example: Expunge is implicit in MOVE by @sebbASF in #623
  • 📚️ Fix QUOTA documentation by @nevans in #636
  • 📚 Minor documentation fixes by @nevans in #638
  • 📚 Improve documentation of RawData arguments by @nevans in #661

Other Changes

  • Handle deep response recursion as ResponseParseError by @Masamuneee in #629

Miscellaneous

  • ✅ Fix typo in FakeServer (tests only) by @nevans in #620
  • ⬆️ Bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #621
  • Bump step-security/harden-runner from 2.15.0 to 2.15.1 by @dependabot[bot] in #626
  • ⬆️ Bump step-security/harden-runner from 2.15.1 to 2.16.0 by @dependabot[bot] in #628
  • ⬆️ Bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #635
  • ✅ Test #setquota by @nevans in #636
  • ⬆️ Bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #634
  • ⬆️ Bump step-security/harden-runner from 2.16.0 to 2.17.0 by @dependabot[bot] in #639
  • Test TruffleRuby release in CI for improved stability by @eregon in #640
  • ⬆️ Bump actions/upload-pages-artifact from 4 to 5 by @dependabot[bot] in #646
  • ⬆️ Bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in #647

New Contributors

Full Changelog: v0.6.3...v0.6.4

Contributors

nevans, eregon, and 6 other contributors
Assets 2
Loading
0 Join discussion