v0.4.24

[nevans]

Important

The 0.4.x release branch will only receive critical security fixes, and will be unsupported when ruby 3.3 is EOL.
Please upgrade to a newer version.

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Warning

#666 fixes a STARTTLS stripping vulnerability. Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Important

Argument validation is significantly improved. Several command injection vulnerabilities have been fixed by #663.
This fixes a CRLF/command injection vulnerability for Symbol arguments.
This fixes a CRLF/command injection vulnerability for the attr argument to #store/#uid_store.
This fixes a CRLF/command injection vulnerability for the storage_limit argument to #setquota.
This fixes a CRLF/command injection vulnerability for RawData, which is used by:

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String.
  When attr is an Array, its String members are sent as raw data.

Caution

RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

Note

Two denial of service vectors have been addressed.
These are relevant when connecting to an untrusted hostile server (or without TLS).

#651 fixes quadratic time complexity when reading large responses containing many string literals.
#655 adds a configurable max_iterations count for SCRAM-* authentication.

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Added

• 🔒 Add ScramAuthenticator#max_iterations (backports 🔒 Add ScramAuthenticator#max_iterations #654) in 🔒 Add ScramAuthenticator#max_iterations (backports #654) #655, reported by @Masamuneee

Fixed

• 🔒 Fix STARTTLS stripping vulnerability (backports 🔒 Fix STARTTLS stripping vulnerability #664) in 🔒 Fix STARTTLS stripping vulnerability (backports #664) #666, reported by @Masamuneee
• 🔒 Fix CRLF injection vulnerabilities (backports 🔒️ Strictly validate symbol (\flag) arguments #657, 🔒️ Validate and send STORE attr as an atom #658, 🔒 Validate #setquota storage limit argument #659, 🔒🐛 Validate RawData and wait to continue literals #660, 📚️ Fix QUOTA documentation, ✅ Test #setquota, ♻️ Add MailboxQuota#quota_root alias #636, 📚 Improve documentation of RawData arguments #661) in 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) #663, reported by @manunio
• ⚡ Much faster ResponseReader performance (backports ⚡ Much faster ResponseReader performance #642) in ⚡ Much faster ResponseReader performance (backports #642) #651, reported by @Masamuneee
• 🐛 Wait to continue RawData literals (backports 🔒🐛 Validate RawData and wait to continue literals #660) by @nevans in 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) #663

Other Changes

• ♻️ Improve internal literal sending (partially backports ♻️ Refactor internal command data classes #358, ✨ Support BINARY extention to #append (RFC3516)  #616, ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) #649) by @nevans in ♻️ Improve internal literal sending (partially backports #358, #616, #649) #653

Full Changelog: v0.4.23...v0.4.24

---

This discussion was created from the release v0.4.24.