==========================================================================
Ubuntu Security Notice USN-8431-1
June 15, 2026

ruby2.3, ruby2.5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Ruby could allow unintended access to network services.

Software Description:
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language

Details:

It was discovered that Ruby's Net::IMAP library did not properly verify
that Transport Layer Security (TLS) encryption was started after issuing a 
STARTTLS command. A remote
attacker could possibly use this issue to perform a machine-in-the-middle 
attack and silently
bypass TLS encryption. (CVE-2026-42246)

It was also discovered that Ruby's Net::IMAP library did not validate
string arguments passed to certain commands. A remote attacker could possibly 
use this issue to
inject arbitrary IMAP commands. (CVE-2026-42257)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
  libruby2.5                      2.5.1-1ubuntu1.16+esm8
                                  Available with Ubuntu Pro
  ruby2.5                         2.5.1-1ubuntu1.16+esm8
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm14
                                  Available with Ubuntu Pro
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm14
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8431-1
  CVE-2026-42246, CVE-2026-42257

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to