v0.6.4.1 · ruby net-imap · Discussion #704 · GitHub

nevans
Jun 9, 2026
Maintainer

What's Changed

Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4.

(moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
This vulnerability depends how the server interprets non-synchronizing literals.
The connection is not vulnerable if the server supports non-synchronizing literals.
- 🥅 Validate non-synchronizing literals support by @nevans in 🥅 Validate non-synchronizing literals support #701
(moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
- 🥅 Validate ID values contain only valid bytes by @nevans in 🥅 Validate ID values contain only valid bytes #698
- 🥅 Validate #enable arguments are all atoms by @nevans in 🥅 Validate #enable arguments are all atoms #699
  NOTE: #enable should never be called with untrusted input.
(low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
- 🐛 Prevent trailing {0} in RawData validation by @nevans in 🐛 Prevent trailing {0} in RawData validation #700

Added

🔍 Add more detail to Net::IMAP#inspect TLS info by @nevans in 🔍 Add more detail to Net::IMAP#inspect TLS info #674

Fixed

🔧 Disallow config.max_non_synchronizing_literal = nil by @nevans in 🔧 Disallow config.max_non_synchronizing_literal = nil #672
🧵 Fix deadlock in #disconnect by @nevans in 🧵 Fix deadlock in #disconnect #686
🥅 Validate that Atom and Flag are not empty by @nevans in 🥅 Validate that Atom and Flag are not empty #684

Documentation

⚠️ Boost visibility of raw data argument documentation warnings by @nevans in ⚠️ Boost visibility of raw data argument documentation warnings #677

Other Changes

🏷️ Allow 64-bit Integer arguments by @nevans in 🏷 Allow 64-bit Integer arguments #675
🥅 Ensure send_number_data input is an Integer by @nevans in 🥅 Ensure send_number_data input is an Integer #676
♻️ Improve RawData.new, Add RawData.split by @nevans in ♻️ Improve RawData.new, Add RawData.split #679
🏷️ Less strict number string coercion, to match RFCs by @nevans in 🐛 Less strict number string coercion, to match RFCs #680
🥅 Validate response literal byte size format by @nevans in 🥅 Validate response literal byte size format #681

Miscellaneous

⬆️ Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.19.0 to 2.19.1 #673
✅ Improvements to tests' FakeServer by @nevans in ✅ Improvements to tests' FakeServer #678
⬆️ Bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.19.1 to 2.19.3 #682
⬆️ Bump step-security/harden-runner from 2.19.3 to 2.19.4 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.19.3 to 2.19.4 #683

Full Changelog: v0.6.4...v0.6.4.1

This discussion was created from the release v0.6.4.1.

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment