Skip to content

v0.6.4.1

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 09 Jun 18:00
· 22 commits to master since this release
v0.6.4.1
This tag was signed with the committer’s verified signature. The key has expired.
nevans nicholas a. evans
GPG key ID: E91DC1DCA3CD03DF
Expired
Verified
Learn about vigilant mode.
357f3b5

What's Changed

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.

  • (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
    This vulnerability depends how the server interprets non-synchronizing literals.
    The connection is not vulnerable if the server supports non-synchronizing literals.
    • 🥅 Validate non-synchronizing literals support by @nevans in #701
  • (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
    • 🥅 Validate ID values contain only valid bytes by @nevans in #698
    • 🥅 Validate #enable arguments are all atoms by @nevans in #699
      NOTE: #enable should never be called with untrusted input.
  • (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
    This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
    • Reported by @fg0x0
    • 🐛 Prevent trailing {0} in RawData validation by @nevans in #700

Added

  • 🔍 Add more detail to Net::IMAP#inspect TLS info by @nevans in #674

Fixed

  • 🔧 Disallow config.max_non_synchronizing_literal = nil by @nevans in #672
  • 🧵 Fix deadlock in #disconnect by @nevans in #686
  • 🥅 Validate that Atom and Flag are not empty by @nevans in #684

Documentation

  • ⚠️ Boost visibility of raw data argument documentation warnings by @nevans in #677

Other Changes

  • 🏷️ Allow 64-bit Integer arguments by @nevans in #675
  • 🥅 Ensure send_number_data input is an Integer by @nevans in #676
  • ♻️ Improve RawData.new, Add RawData.split by @nevans in #679
  • 🏷️ Less strict number string coercion, to match RFCs by @nevans in #680
  • 🥅 Validate response literal byte size format by @nevans in #681

Miscellaneous

  • ⬆️ Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #673
  • ✅ Improvements to tests' FakeServer by @nevans in #678
  • ⬆️ Bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in #682
  • ⬆️ Bump step-security/harden-runner from 2.19.3 to 2.19.4 by @dependabot[bot] in #683

Full Changelog: v0.6.4...v0.6.4.1

Contributors

nevans, dependabot, and fg0x0
Assets 2
Loading
0 Join discussion