Bug #21297
closed
Update net-imap for ruby 3.2, 3.3, 3.4
Description
The bundled net-imap versions are vulnerable to CVE-2025-43857 (GHSA-j3g3-5qv5-52mj). This vulnerability does not affect securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname).
Fixing the issue requires upgrading to v0.2.5, v0.3.9, v0.4.20, or v0.5.7.
- ruby 3.2.8 bundles net-imap v0.3.8
PR: Bump net-imap to 0.3.9 for Ruby 3.2
https://github.com/ruby/ruby/pull/13213 - ruby 3.3.8 bundles net-imap v0.4.19
PR: Bump net-imap to 0.4.21 for Ruby 3.3
https://github.com/ruby/ruby/pull/13214 - ruby 3.4.3 bundles net-imap v0.5.6
PR: Bump net-imap to v0.5.8 for Ruby 3.4
https://github.com/ruby/ruby/pull/13215
I didn't have a release ready in time to be bundled with the final version of ruby 3.1, so I haven't created a PR for v0.2.5.
v0.4.21 and v0.5.8 are primarily bug fixes, so my PRs for ruby 3.3 and 3.4 upgrade to those versions.
The workaround is to uninstall the vulnerable bundled versions and gem install net-imap.
Security Advisory Links:
Updated by nevans (Nicholas Evans) about 2 months ago
- Description updated (diff)
Updated by hsbt (Hiroshi SHIBATA) about 1 month ago
- Status changed from Open to Closed
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: DONE, 3.3: REQUIRED, 3.4: DONE
Updated by nagachika (Tomoyuki Chikanaga) about 1 month ago
- Backport changed from 3.2: DONE, 3.3: REQUIRED, 3.4: DONE to 3.2: DONE, 3.3: DONE, 3.4: DONE
ruby_3_3: merged at 74f46982ebfbec4d21b6fc8aff47f2e290307d36.