Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update net-imap 0.5.2 → 0.5.6 (minor) #1408

Closed
wants to merge 1 commit into from
Closed

Update net-imap 0.5.2 → 0.5.6 (minor) #1408

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Feb 8, 2025

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ net-imap (0.5.2 → 0.5.6) · Repo

Release Notes

0.5.6

What's Changed

🔒 Security Fix

Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.

Fix with minor API changes

Set config.parser_use_deprecated_uidplus_data to false to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers). Code that does not handle APPENDUID or COPYUID responses should not see any difference. Code that does handle these responses may need to be updated.

For v0.3.8, this option is not available
For v0.4.19, the default value is true.
For v0.5.6, the default value is :up_to_max_size.
For v0.6.0, the only allowed value will be false (UIDPlusData will be removed from v0.6).

Mitigate with backward compatible API

Adjust config.parser_max_deprecated_uidplus_data_size to limit the maximum UIDPlusData UID set size.
When config.parser_use_deprecated_uidplus_data == true, larger sets will crash.
When config.parser_use_deprecated_uidplus_data == :up_to_max_size, larger sets will use AppendUIDData or CopyUIDData.

For v0.3,8, this limit is hard-coded to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be 0 (UIDPlusData will be removed from v0.6).

Please Note: unhandled responses

If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:

limit = 1000
imap.add_response_handler do |resp|
  next unless resp.respond_to?(:name) && resp.respond_to?(:data)
  name = resp.name
  code = resp.data.code&.name if resp.data.in?(Net::IMAP::ResponseText)
  imap.responses(name) { _1.slice!(0...-limit) }
  imap.responses(code) { _1.slice!(0...-limit) }
end

Added

  • 🔧 Ensure ResponseParser config is mutable and non-global by @nevans in #381
  • ✨ Add SequenceSet methods for querying about duplicates by @nevans in #384
  • ✨ Add SequenceSet#each_ordered_number by @nevans in #386
  • ✨ Add SequenceSet#find_ordered_index by @nevans in #396
  • ✨ Add SequenceSet#ordered_at by @nevans in #397
  • ✨ Add AppendUIDData and CopyUIDData classes by @nevans in #400
  • 🔧 Add parser config for APPENDUID/COPYUID, 🗑️ Deprecate UIDPlusData by @nevans in #401

Fixed

  • 🐛 Fix SequenceSet#append when its @string is nil by @nevans in #376
  • 🐛 Fix SequenceSet merging in another SequenceSet by @nevans in #377
  • 🐛 Fix SequenceSet count dups with multiple "*" by @nevans in #387
  • 🥅 Re-raise #starttls error from receiver thread by @nevans in #395

Documentation

  • 📚 Fix SequenceSet#cover? documentation by @nevans in #379
  • 📚 Document COPYUID in tagged vs untagged responses by @nevans in #398

Other Changes

  • 🚚 Move UIDPlusData to its own file by @nevans in #391
  • ♻️ Parse uid-set as sequence-set without * by @nevans in #393

Miscellaneous

  • ⬆️ Bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #375
  • ⬆️ Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #380
  • ✅ Improve test coverage for SequenceSet enums by @nevans in #383
  • ♻️✅ Refactor SequenceSet enumerator tests by @nevans in #385
  • ➕ Add "irb" to Gemfile to silence warning by @nevans in #388
  • Omit flaky test with macOS platform by @hsbt in #389
  • ✅ Improve UIDPlusData test coverage by @nevans in #392
  • 🚚 Rename UIDPLUS test file for consistency by @nevans in #399

Full Changelog: v0.5.5...v0.5.6

0.5.5

What's Changed

Breaking Changes

  • 🐛💥 Remove accidental Data#attributes method by @nevans in #371
    For ruby 3.2 and above, this PR is not a breaking change, and it fixes a YAML serialization bug.
    Net::IMAP::Data#attributes was only available in ruby 3.1, with net-imap v0.5.2 - v0.5.4. It can be replaced by #to_h.

Added

Documentation

New Contributors

  • @avdi made their first contribution in #366

Full Changelog: v0.5.4...v0.5.5

0.5.4

What's Changed

Added

  • ✨ Add support for PARTIAL extension (RFC9394) by @nevans in #367

Fixed

  • 🐛 Fix partial-range encoding of exclusive ranges by @nevans in #370

Documentation

Full Changelog: v0.5.3...v0.5.4

0.5.3

What's Changed

Added

  • ✨ Add support for VANISHED responses by @nevans in #329

Documentation

Full Changelog: v0.5.2...v0.5.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Feb 8, 2025
@depfu depfu bot mentioned this pull request Feb 8, 2025
Closed
@mitlib mitlib temporarily deployed to mit-bento-pr-1408 February 8, 2025 22:47 Inactive
@coveralls
Copy link

Coverage Status

coverage: 99.127%. remained the same
when pulling 440c556 on depfu/update/net-imap-0.5.6
into fbdea98 on main.

@depfu Depfu
Copy link
Contributor Author

depfu bot commented Feb 10, 2025

Closing because this update has already been applied

@depfu depfu bot closed this Feb 10, 2025
@depfu depfu bot deleted the depfu/update/net-imap-0.5.6 branch February 10, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coveralls @mitlib