Skip to content

Update dependency net-imap to v0.6.4.1 (main)#447

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-net-imap-0.x
Open

Update dependency net-imap to v0.6.4.1 (main)#447
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-net-imap-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
net-imap (changelog) 0.5.120.6.4.1 age adoption passing confidence

Release Notes

ruby/net-imap (net-imap)

v0.6.4.1

Compare Source

What's Changed
🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.

  • (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
    This vulnerability depends how the server interprets non-synchronizing literals.
    The connection is not vulnerable if the server supports non-synchronizing literals.
  • (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
    • 🥅 Validate ID values contain only valid bytes by @​nevans in #​698
    • 🥅 Validate #enable arguments are all atoms by @​nevans in #​699
      NOTE: #enable should never be called with untrusted input.
  • (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
    This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
Added
Fixed
Documentation
  • ⚠️ Boost visibility of raw data argument documentation warnings by @​nevans in #​677
Other Changes
Miscellaneous

Full Changelog: ruby/net-imap@v0.6.4...v0.6.4.1

v0.6.4

Compare Source

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING]
#​664 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp).
Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT]
Argument validation is significantly improved. Several injection vulnerabilities have been fixed:
#​657 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px).
#​658 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg)
#​659 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg).
#​660 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

  • #search and #uid_search send criteria as raw data, when it is a String
  • #fetch and #uid_fetch send attr as raw data, when it is a String.
    When attr is an Array, its String members are sent as raw data.

[!CAUTION]
RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE]
Two denial of service vulnerabilities have been addressed.
These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

#​642 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw).
#​654 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Breaking Changes
  • ResponseReader memoizes Config#max_response_size in #​642.
    Changes to #max_response_size now take effect once per response, not on every IO#read.
    NOTE: It is not expected that this will affect any current usage. See the PR for details.
Added
Fixed
Documentation
Other Changes
Miscellaneous

New Contributors

Full Changelog: ruby/net-imap@v0.6.3...v0.6.4

v0.6.3

Compare Source

What's Changed

Added
  • 🥅 Add parser state and #detailed_message to ResponseParseError by @​nevans in #​599
    • 🥅💄 Support (monochrome) highlights in parse error details by @​nevans in #​603
    • 🥅💄 Auto-highlight parse error detailed_message using TERM and FORCE_COLOR by @​nevans in #​607
    • 🥅💄 Add color highlights to parse error details (default honors NO_COLOR) by @​nevans in #​609
  • 🔧 Add Config#overrides? (opposite of #inherited?) by @​nevans in #​610
  • 🔧 Add recursive Config#inherits_defaults? by @​nevans in #​611
Fixed
Other Changes

Fixes for unreleased code:

Miscellaneous

Full Changelog: ruby/net-imap@v0.6.2...v0.6.3

v0.6.2

Compare Source

What's Changed

Fixed

Full Changelog: ruby/net-imap@v0.6.1...v0.6.2

v0.6.1

Compare Source

What's Changed

Fixed
Miscellaneous

Full Changelog: ruby/net-imap@v0.6.0...v0.6.1

v0.6.0

Compare Source

What's Changed

Breaking Changes
  • 🔧 Update default config for v0.6 by @​nevans in #​539
    • responses_without_block changed from :warn to :frozen_dup
    • parser_use_deprecated_uidplus_data changed from :up_to_max_size to false (and is deprecated)
    • parser_max_deprecated_uidplus_data_size changed from 100 to 0 (and is deprecated)
  • 💥 Require ruby >= 3.2 (drop support for 3.1) by @​nevans in #​538
  • 💥✨ Change SequenceSet#size to count * and repeated numbers by @​nevans in #​564
    SequenceSet is used to represent both sorted sets and ordered lists (which may contain duplicates). Members are non-zero UInt32 numbers, but "*" has special meaning as "the number corresponding to the last mailbox entry". So there are four different ways to count the members of a SequenceSet.
    Previously, #size was an alias for #count. Now it differs in both relevant aspects.
    * is a unique member * is treated like 2³² - 1
    distinct set members #cardinality #count
    ordered list, including duplicates #size #count_with_duplicates
  • 🔥 Remove deprecated UIDPlusData class by @​nevans in #​540
    UIDPlusData was deprecated by v0.5.6. AppendUIDData or CopyUIDData will always be returned instead.
  • 🔥 Delete deprecated MessageSet by @​nevans in #​573
    MessageSet was deprecated by v0.5.0. Use SequenceSet instead.
  • 🔥 Use psych (>= 5.2.5) for encoding Data objects by @​nevans in #​543
    This changes the YAML tag for Data subclasses from ruby/object:Net::IMAP::DataSubclass to ruby/data:Net::IMAP::DataSubclass. YAML dumped by earlier net-imap versions may not load correctly. Psych >= 5.2.5 is required to dump these objects correctly.
  • 💥 Do not include OpenSSL and OpenSSL::SSL modules into Net::IMAP by @​nevans in #​533
    This only affects the ability to use OpenSSL constants from the Net::IMAP namespace.
  • 💥 Don't set verify_callback to VerifyCallbackProc by @​nevans in #​534
    This functionality was never documented and is redundant with the verify_callback option.
Deprecated
  • Deprecated config options for UIDPlusData in #​540
    The parser_use_deprecated_uidplus_data and parser_max_deprecated_uidplus_data_size config options will be removed in v0.7.0. They are kept for backward compatibility, but they do not affect response parser results. When parser_use_deprecated_uidplus_data is changed from the default value (false), deprecation warnings are printed when parsing APPENDUID or COPYUID response codes.
Added
Documentation
Other Changes
  • 🔥 Drop Data polyfill by @​nevans in #​541
    This was only used for ruby 3.1, which is no longer supported. So this is not considered a breaking change.
  • ♻️ Refactor Config.versioned_defaults to reduce merge conflcts by @​nevans in #​544
  • Improved Net::IMAP::SequenceSet performance
Miscellaneous

Full Changelog: ruby/net-imap@v0.5.12...v0.6.0

v0.5.15

Compare Source

What's Changed

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.5.14. Please see the linked security advisories for more information.

  • (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
    This vulnerability depends how the server interprets non-synchronizing literals.
    The connection is not vulnerable if the server supports non-synchronizing literals.
  • (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
    • 🥅 Validate ID values contain only valid bytes by @​nevans in #​703 (backports #​698)
    • 🥅 Validate #enable arguments are all atoms by @​nevans in #​703 (backport #​699)
      NOTE: #enable should never be called with untrusted input.
  • (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
    This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
Fixed
Documentation
Other Changes
Miscellaneous
  • ✅ Improvements to tests' FakeServer in #​696 (backports #​678)

Full Changelog: ruby/net-imap@v0.5.14...v0.5.15

v0.5.14

Compare Source

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING]
#​665 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp).
Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT]
Argument validation is significantly improved. Several command injection vulnerabilities have been fixed:
#​662 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px).
#​662 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg)
#​662 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg).
#​662 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

  • #search and #uid_search send criteria as raw data, when it is a String
  • #fetch and #uid_fetch send attr as raw data, when it is a String.
    When attr is an Array, its String members are sent as raw data.

[!CAUTION]
RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE]
Two denial of service vulnerabilities have been addressed.
These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

#​650 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw).
#​656 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

Added
Fixed
Other Changes
Miscellaneous

Full Changelog: ruby/net-imap@v0.5.13...v0.5.14

v0.5.13

Compare Source

What's Changed

Fixed
Documentation
Other Changes
  • ♻️ Refactor Config.versioned_defaults to reduce merge conflicts (backport to 0.5) by @​nevans in #​584
Miscellaneous

Full Changelog: ruby/net-imap@v0.5.12...v0.5.13


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Jul 8, 2026
@renovate renovate Bot force-pushed the renovate/main-net-imap-0.x branch from 847c639 to 370851a Compare July 8, 2026 19:12
@renovate renovate Bot force-pushed the renovate/main-net-imap-0.x branch from 370851a to a37f09b Compare July 9, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants