From: "nevans (Nicholas Evans) via ruby-core" <ruby-core@...>
Date: 2025-02-12T23:05:24+00:00
Subject: [ruby-core:120960] [Ruby master Bug#21130] Update net-imap for ruby 3.2, 3.3, 3.4

Issue #21130 has been reported by nevans (Nicholas Evans).

----------------------------------------
Bug #21130: Update net-imap for ruby 3.2, 3.3, 3.4
https://bugs.ruby-lang.org/issues/21130

* Author: nevans (Nicholas Evans)
* Status: Open
* Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
The bundled versions are vulnerable to CVE-2024-25186 (https://www.cve.org/CVERecord?id=CVE-2025-25186).  Fixing the issue requires upgrading to v0.3.8, v0.4.19, or v0.5.4.

* ruby 3.2.7 bundles net-imap v0.3.4.1
  PR: Bump net-imap to 0.3.8 for Ruby 3.2
  https://github.com/ruby/ruby/pull/12733
* ruby 3.3.7 bundles net-imap v0.4.9.1
  PR: Bump net-imap to 0.4.19 for Ruby 3.3
  https://github.com/ruby/ruby/pull/12732
* ruby 3.4.1 bundles net-imap v0.5.4
  PR: Bump net-imap to v0.5.6 for Ruby 3.4
  https://github.com/ruby/ruby/pull/12731

The workaround is to uninstall the vulnerable bundled versions and `gem install net-imap`.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/