Source: ruby3.3
Version: 3.3.8-1
Severity: important
Tags: security upstream
Forwarded:
https://github.com/ruby/net-imap/pull/445
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerability was published for ruby3.3.
CVE-2025-43857[0]:
| Net::IMAP implements Internet Message Access Protocol (IMAP) client
| functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and
| 0.2.5, there is a possibility for denial of service by memory
| exhaustion when net-imap reads server responses. At any time while
| the client is connected, a malicious server can send can send a
| "literal" byte count, which is automatically read by the client's
| receiver thread. The response reader immediately allocates memory
| for the number of bytes indicated by the server response. This
| should not be an issue when securely connecting to trusted IMAP
| servers that are well-behaved. It can affect insecure connections
| and buggy, untrusted, or compromised servers (for example,
| connecting to a user supplied hostname). This issue has been patched
| in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-43857
https://www.cve.org/CVERecord?id=CVE-2025-43857
[1]
https://github.com/ruby/net-imap/pull/445
[2]
https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)