Source: ruby3.3 Version: 3.3.8-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for ruby3.3. CVE-2026-42245[0]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, | Net::IMAP::ResponseReader has quadratic time complexity when reading | large responses containing many string literals. A hostile server | can send responses which are crafted to exhaust the client's CPU for | a denial of service attack. This issue has been patched in versions | 0.4.24, 0.5.14, and 0.6.4. CVE-2026-42246[1]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and | 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to | return "successfully", without starting TLS. This issue has been | patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. CVE-2026-42256[2]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 | to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a | connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can | perform a computational denial-of-service attack on the client | process by sending a big iteration count value. This issue has been | patched in versions 0.4.24, 0.5.14, and 0.6.4. CVE-2026-42257[3]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, | several Net::IMAP commands accept a raw string argument that is sent | to the server without validation or escaping. If this string is | derived from user-controlled input, it may contain contain CRLF | sequences, which an attacker can use to inject arbitrary IMAP | commands. This issue has been patched in versions 0.4.24, 0.5.14, | and 0.6.4. CVE-2026-42258[4]: | Net::IMAP implements Internet Message Access Protocol (IMAP) client | functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, | symbol arguments to commands are vulnerable to a CRLF Injection / | IMAP Command injection via Symbol arguments passed to IMAP commands. | This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42245 https://www.cve.org/CVERecord?id=CVE-2026-42245 [1] https://security-tracker.debian.org/tracker/CVE-2026-42246 https://www.cve.org/CVERecord?id=CVE-2026-42246 [2] https://security-tracker.debian.org/tracker/CVE-2026-42256 https://www.cve.org/CVERecord?id=CVE-2026-42256 [3] https://security-tracker.debian.org/tracker/CVE-2026-42257 https://www.cve.org/CVERecord?id=CVE-2026-42257 [4] https://security-tracker.debian.org/tracker/CVE-2026-42258 https://www.cve.org/CVERecord?id=CVE-2026-42258 Regards, Salvatore
