From: "k0kubun (Takashi Kokubun) via ruby-core" Date: 2025-02-14T05:16:52+00:00 Subject: [ruby-core:121032] [Ruby master Bug#21130] Update net-imap for ruby 3.2, 3.3, 3.4 Issue #21130 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED to 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONE ruby_3_4 commit:12c716eea02f0efbb7dcd4ddb3a8b0523cdb99c2. ---------------------------------------- Bug #21130: Update net-imap for ruby 3.2, 3.3, 3.4 https://bugs.ruby-lang.org/issues/21130#change-111940 * Author: nevans (Nicholas Evans) * Status: Closed * Backport: 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONE ---------------------------------------- The bundled versions are vulnerable to CVE-2024-25186 (GHSA-7fc5-f82f-cx69). Fixing the issue requires upgrading to v0.3.8, v0.4.19, or v0.5.4. * ruby 3.2.7 bundles net-imap v0.3.4.1 PR: Bump net-imap to 0.3.8 for Ruby 3.2 https://github.com/ruby/ruby/pull/12733 * ruby 3.3.7 bundles net-imap v0.4.9.1 PR: Bump net-imap to 0.4.19 for Ruby 3.3 https://github.com/ruby/ruby/pull/12732 * ruby 3.4.1 bundles net-imap v0.5.4 PR: Bump net-imap to v0.5.6 for Ruby 3.4 https://github.com/ruby/ruby/pull/12731 The workaround is to uninstall the vulnerable bundled versions and `gem install net-imap`. Security Advisory Links: * https://www.cve.org/CVERecord?id=CVE-2025-25186 * https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69 -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/