v0.5.7 · ruby net-imap · Discussion #448 · GitHub

nevans
Apr 22, 2025
Maintainer

What's Changed

🔒 Security

This release adds two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new (#419) so response handlers can be added before the server can send any responses, and the max_response_size config attribute (#444, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is extremely high, to avoid issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

✨ Track IMAP connection state by @nevans in ✨ Track IMAP connection state #416
✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in ✨ Add response_handlers kwarg to Net::IMAP.new #419
✨ Customize SequenceSet YAML serialization by @nevans in ✨ Customize SequenceSet YAML serialization #432
✨ Limit max_response_size by @nevans in ✨ Limit max_response_size #444

Documentation

📚 Improve docs for unbounded memory use and thread safety by @nevans in 📚 Improve docs for unbounded memory use and thread safety #418
📚 Impove SequenceSet docs by @nevans in 📚 Impove SequenceSet docs #420
📚 Doc improvements for open_timeout, etc by @nevans in 📚 Doc improvements for open_timeout, etc #424

Other Changes

♻️ Reorganize Config.version_defaults creation by @nevans in ♻️ Reorganize Config.version_defaults creation #412
♻️ Refactor Config attr type coercion by @nevans in ♻️ Refactor Config attr type coercion #417
♻️ Refactor Net::IMAP#get_response (internal) by @nevans in ♻️ Refactor Net::IMAP#get_response (internal) #422
♻️ Rational config versions by @nevans in ♻️ Rational config versions #429
♻️ Extract ResponseReader from get_response by @nevans in ♻️ Extract ResponseReader from get_response #433
♻️ Refactor ResponseReader by @nevans in ♻️ Refactor ResponseReader #435

Miscellaneous

Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in Bump step-security/harden-runner from 2.10.4 to 2.11.0 #409
✅ Make FakeServer more robust against disconnect by @nevans in ✅ Make FakeServer more robust against disconnect #414
✅ Improvements to FakeServer (tests only) by @nevans in ✅ Improvements to FakeServer (tests only) #415
✅ Ignore more IO errors in some FakeServer tests by @nevans in ✅ Ignore more IO errors in some FakeServer tests #421
⬆️ Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in ⬆️ Bump step-security/harden-runner from 2.11.0 to 2.11.1 #423

Full Changelog: v0.5.6...v0.5.7

This discussion was created from the release v0.5.7.

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment