v0.4.20 #449
nevans
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What's Changed
π Security
This release backports two features to prevent unbounded memory use: the
response_handlerskeyword argument toNet::IMAP.newso response handlers can be added before the server can send any responses (#427), and themax_response_sizeconfig attribute (#445, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).Note
The default
max_response_sizeisnil(unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility ofnet-imapusers to configure their client appropriately for the server they are connecting to.Known Issues
Fixed in v0.4.22: Older versions of Ruby 3.0 on Mac OS crash when
net/imapis required (#471).Important
Ruby 3.0.7 is unaffected by #471 and was released on 2024-04-23. Ruby 3.0 has reached its EOL.
If you are affected by #471, upgrading Ruby is much more important than upgrading
net-imap!Added
response_handlerskwarg toNet::IMAP.newby @nevans in β¨ Addresponse_handlerskwarg toNet::IMAP.new(backport #419 to 0.4)Β #427response_handlerskwarg toNet::IMAP.newΒ #419max_response_sizeΒ #444Documentation
Other Changes
Config.version_defaultscreationΒ #412get_responseby @nevans in β»οΈ Refactorget_response(backports #422 to 0.4)Β #431Net::IMAP#get_response(internal)Β #422get_responseΒ #433Miscellaneous
assert_patternfrom minitest (originally in β¨ Add basic ESearch supportΒ #333)Full Changelog: v0.4.19...v0.4.20
This discussion was created from the release v0.4.20.
Beta Was this translation helpful? Give feedback.
All reactions