-
-
Notifications
You must be signed in to change notification settings - Fork 32
Commit 3043b28
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Bump net-imap from 0.5.5 to 0.5.6 (#4314)
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.5.5 to 0.5.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/net-imap/releases">net-imap's
releases</a>.</em></p>
<blockquote>
<h2>v0.5.6</h2>
<h2>What's Changed</h2>
<h3>🔒 Security Fix</h3>
<p>Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can
exhaust client memory by sending <code>APPENDUID</code> or
<code>COPYUID</code> responses with very large <code>uid-set</code>
ranges. <code>Net::IMAP::UIDPlusData</code> expands these ranges into
arrays of integers.</p>
<h4>Fix with minor API changes</h4>
<p>Set <code>config.parser_use_deprecated_uidplus_data</code> to
<code>false</code> to replace <code>UIDPlusData</code> with
<code>AppendUIDData</code> and <code>CopyUIDData</code>. These classes
store their UIDs as <code>Net::IMAP::SequenceSet</code> objects
(<em>not</em> expanded into arrays of integers). Code that does not
handle <code>APPENDUID</code> or <code>COPYUID</code> responses should
not see any difference. Code that does handle these responses
<em>may</em> need to be updated.</p>
<p>For v0.3.8, this option is not available
For v0.4.19, the default value is <code>true</code>.
For v0.5.6, the default value is <code>:up_to_max_size</code>.
For v0.6.0, the only allowed value will be <code>false</code>
<em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p>
<h4>Mitigate with backward compatible API</h4>
<p>Adjust <code>config.parser_max_deprecated_uidplus_data_size</code> to
limit the maximum <code>UIDPlusData</code> UID set size.
When <code>config.parser_use_deprecated_uidplus_data == true</code>,
larger sets will crash.
When <code>config.parser_use_deprecated_uidplus_data ==
:up_to_max_size</code>, larger sets will use <code>AppendUIDData</code>
or <code>CopyUIDData</code>.</p>
<p>For v0.3,8, this limit is <em>hard-coded</em> to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be <code>0</code>
<em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p>
<h4>Please Note: unhandled responses</h4>
<p>If the client does not add response handlers to prune unhandled
responses, a malicious server can still eventually exhaust all client
memory, by repeatedly sending malicious responses. However,
<code>net-imap</code> has always retained unhandled responses, and it
has always been necessary for long-lived connections to prune these
responses. This is not significantly different from connecting to a
trusted server with a long-lived connection. To limit the maximum number
of retained responses, a simple handler might look something like the
following:</p>
<pre lang="ruby"><code>limit = 1000
imap.add_response_handler do |resp|
next unless resp.respond_to?(:name) && resp.respond_to?(:data)
name = resp.name
code = resp.data.code&.name if
resp.data.in?(Net::IMAP::ResponseText)
imap.responses(name) { _1.slice!(0...-limit) }
imap.responses(code) { _1.slice!(0...-limit) }
end
</code></pre>
<h3>Added</h3>
<ul>
<li>🔧 Ensure ResponseParser config is mutable and non-global by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/381">ruby/net-imap#381</a></li>
<li>✨ Add SequenceSet methods for querying about duplicates by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/384">ruby/net-imap#384</a></li>
<li>✨ Add <code>SequenceSet#each_ordered_number</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/386">ruby/net-imap#386</a></li>
<li>✨ Add <code>SequenceSet#find_ordered_index</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/396">ruby/net-imap#396</a></li>
<li>✨ Add <code>SequenceSet#ordered_at</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/397">ruby/net-imap#397</a></li>
<li>✨ Add AppendUIDData and CopyUIDData classes by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/400">ruby/net-imap#400</a></li>
<li>🔧 Add parser config for <code>APPENDUID</code>/<code>COPYUID</code>,
🗑️ Deprecate UIDPlusData by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/401">ruby/net-imap#401</a></li>
</ul>
<h3>Fixed</h3>
<ul>
<li>🐛 Fix <code>SequenceSet#append</code> when its <code>@string</code>
is nil by <a href="https://github.com/nevans"><code>@nevans</code></a>
in <a
href="https://redirect.github.com/ruby/net-imap/pull/376">ruby/net-imap#376</a></li>
<li>🐛 Fix SequenceSet merging in another SequenceSet by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/377">ruby/net-imap#377</a></li>
<li>🐛 Fix SequenceSet count dups with multiple "*" by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/387">ruby/net-imap#387</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ruby/net-imap/commit/62710b905d5672dc3dcc6d6774c1863a46e4be2b"><code>62710b9</code></a>
🔖 Bump version to 0.5.6</li>
<li><a
href="https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35"><code>70e3ddd</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/ruby/net-imap/commit/e58aff64d55dda4215fa0cfd7f4d1ea7b9ca51ba"><code>e58aff6</code></a>
🔧 Add <code>:up_to_max_size</code> config for UIDPlusData</li>
<li><a
href="https://github.com/ruby/net-imap/commit/2f58d020580176ed13fcd1e571ab7bc0e1e8f155"><code>2f58d02</code></a>
🔧 Add config option for max UIDPlusData size</li>
<li><a
href="https://github.com/ruby/net-imap/commit/c67470092e53d5f8d1f8d47c80450dd7b5995302"><code>c674700</code></a>
🔒 Limit exponential memory usage to parse uid-set</li>
<li><a
href="https://github.com/ruby/net-imap/commit/60f577690d80dd2593edaeb1d09b7681bedac368"><code>60f5776</code></a>
🔧🗑️ Deprecate UIDPlusData, with config to upgrade</li>
<li><a
href="https://github.com/ruby/net-imap/commit/8f41dea368f456ee502c5eaf80491e924691010a"><code>8f41dea</code></a>
🔀 Merge pull request <a
href="https://redirect.github.com/ruby/net-imap/issues/400">#400</a>
from ruby/add-appenduid-copyuid-classes</li>
<li><a
href="https://github.com/ruby/net-imap/commit/bcb261d12e9911eaf89d35db314c626501c92b72"><code>bcb261d</code></a>
✨ Add CopyUIDData (to replace UIDPlusData)</li>
<li><a
href="https://github.com/ruby/net-imap/commit/01bb49f4ae3220a695e21314ba4d92a84fe64b35"><code>01bb49f</code></a>
✨ Add AppendUIDData (to replace UIDPlusData)</li>
<li><a
href="https://github.com/ruby/net-imap/commit/85d0aa264daa682106c73bd4a33d047888b3eee7"><code>85d0aa2</code></a>
🚚 Rename UIDPLUS test file for consistency</li>
<li>Additional commits viewable in <a
href="https://github.com/ruby/net-imap/compare/v0.5.5...v0.5.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 7102388 commit 3043b28Copy full SHA for 3043b28
1 file changed
+1
-1
lines changed+1-1
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
266 | 266 | | |
267 | 267 | | |
268 | 268 | | |
269 | | - | |
| 269 | + | |
270 | 270 | | |
271 | 271 | | |
272 | 272 | | |
| |||
0 commit comments