Source: ruby3.3 Version: 3.3.8-1 Severity: important Tags: security upstream Forwarded: https://github.com/ruby/net-imap/pull/445 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby3.3. CVE-2025-43857[0]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and | 0.2.5, there is a possibility for denial of service by memory | exhaustion when net-imap reads server responses. At any time while | the client is connected, a malicious server can send can send a | "literal" byte count, which is automatically read by the client's | receiver thread. The response reader immediately allocates memory | for the number of bytes indicated by the server response. This | should not be an issue when securely connecting to trusted IMAP | servers that are well-behaved. It can affect insecure connections | and buggy, untrusted, or compromised servers (for example, | connecting to a user supplied hostname). This issue has been patched | in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-43857 https://www.cve.org/CVERecord?id=CVE-2025-43857 [1] https://github.com/ruby/net-imap/pull/445 [2] https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj Regards, Salvatore
