Source: ruby3.1 Version: 3.1.2-8.5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby3.1. CVE-2025-25186[0]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Starting in version 0.3.2 and prior to | versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial | of service by memory exhaustion in `net-imap`'s response parser. At | any time while the client is connected, a malicious server can send | can send highly compressed `uid-set` data which is automatically | read by the client's receiver thread. The response parser uses | `Range#to_a` to convert the `uid-set` data into arrays of integers, | with no limitation on the expanded size of the ranges. Versions | 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details | for proper configuration of fixed versions and backward | compatibility are available in the GitHub Security Advisory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-25186 https://www.cve.org/CVERecord?id=CVE-2025-25186 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
