v0.5.14
What's Changed
🔒 Security
This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.
Warning
#665 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp).
Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.
Important
Argument validation is significantly improved. Several command injection vulnerabilities have been fixed:
#662 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px).
#662 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg)
#662 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg).
#662 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):
#searchand#uid_searchsendcriteriaas raw data, when it is a String#fetchand#uid_fetchsendattras raw data, when it is a String.
Whenattris an Array, its String members are sent as raw data.
Caution
RawData does not defend against other forms of argument injection! It is an intentionally low-level API.
Note
Two denial of service vulnerabilities have been addressed.
These are generally only relevant when connecting to an untrusted hostile server (or without TLS).
#650 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw).
#656 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).
Added
- 🔒 Add
ScramAuthenticator#max_iterations(backports #654) in #656, reported by @Masamuneee
Fixed
- 🔒 Fix STARTTLS stripping vulnerability (backports #664) in #665, reported by @Masamuneee
- 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) in #662, reported by @manunio
- ⚡ Much faster ResponseReader performance (backports #642) in #650, reported by @Masamuneee
- 🐛 Config
version_defaultsshould be attr_reader (backports #594) by @nevans in #631 - 🐛 Wait to continue RawData literals (backports #660) by @nevans in #662
Other Changes
Miscellaneous
Full Changelog: v0.5.13...v0.5.14