Source: ruby3.3 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for ruby3.3. CVE-2026-47240[0]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP | commands accept a "raw data" argument that is sent verbatim after | validation to prevent command injection. However, if a server does | not support non-synchronizing literals, it may still be possible to | inject arbitrary IMAP commands inside non-synchronizing literals. A | server without support for non-synchronizing literals may interpret | the "+}\r\n" as the end of a malformed command line and respond with | a tagged BAD. In that case, the contents of the literal will be | interpreted as one or more new pipelined commands, allowing a CRLF | command injection attack to succeed. This affects criteria for | #search and #uid_search; search_keys for #sort, #thread, #uid_sort, | and #uid_thread; and attr for #fetch and #uid_fetch. This | vulnerability is fixed in 0.6.5 and 0.5.15. https://github.com/ruby/net-imap/security/advisories/GHSA-8p34-64r3-mwg8 CVE-2026-47241[1]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP | commands accept a raw string argument which is only validated to | prevent CRLF injection and then sent verbatim. If this string is | derived from user-controlled input, an attacker can force the next | command to be absorbed as a continuation of the first command. This | will cause the first command to eventually fail, but also prevents | it from returning until another command is sent (from another | thread). That other command will not return until the connection is | closed. This vulnerability is fixed in 0.6.5 and 0.5.15. https://github.com/ruby/net-imap/security/advisories/GHSA-c4fp-cxrr-mj66 CVE-2026-47242[2]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id | is called with a hash argument, although the ID field value strings | are correctly quoted (escaping quoted specials), they were not | validated to prohibit CRLF sequences. While Net::IMAP#enable does | process its arguments for aliases, it does not validate them as | valid atoms (or as a list of valid atoms). The #to_s value is sent | verbatim. Arguments to either command could be used by an attacker | to inject arbitrary IMAP commands. This vulnerability is fixed in | 0.6.5 and 0.5.15. https://github.com/ruby/net-imap/security/advisories/GHSA-46q3-7gv7-qmgg If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-47240 https://www.cve.org/CVERecord?id=CVE-2026-47240 [1] https://security-tracker.debian.org/tracker/CVE-2026-47241 https://www.cve.org/CVERecord?id=CVE-2026-47241 [2] https://security-tracker.debian.org/tracker/CVE-2026-47242 https://www.cve.org/CVERecord?id=CVE-2026-47242 Please adjust the affected versions in the BTS as needed. _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
