Bump net-imap from 0.5.8 to 0.5.14

[dependabot]

Bumps net-imap from 0.5.8 to 0.5.14.

Release notes

Sourced from net-imap's releases.

v0.5.14

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING] ruby/net-imap#665 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp). Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT] Argument validation is significantly improved. Several command injection vulnerabilities have been fixed: ruby/net-imap#662 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px). ruby/net-imap#662 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg) ruby/net-imap#662 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg). ruby/net-imap#662 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String. When attr is an Array, its String members are sent as raw data.

[!CAUTION] RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE] Two denial of service vulnerabilities have been addressed. These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

ruby/net-imap#650 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw). ruby/net-imap#656 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

Added

• 🔒 Add ScramAuthenticator#max_iterations (backports #654) in ruby/net-imap#656, reported by @​Masamuneee

Fixed

• 🔒 Fix STARTTLS stripping vulnerability (backports #664) in ruby/net-imap#665, reported by @​Masamuneee
• 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) in ruby/net-imap#662, reported by @​manunio
• ⚡ Much faster ResponseReader performance (backports #642) in ruby/net-imap#650, reported by @​Masamuneee
• 🐛 Config version_defaults should be attr_reader (backports #594) by @​nevans in ruby/net-imap#631
• 🐛 Wait to continue RawData literals (backports #660) by @​nevans in ruby/net-imap#662

Other Changes

• ♻️ Improve internal literal sending (partially backports #616, #649) by @​nevans in ruby/net-imap#652

Miscellaneous

• ✅ Fix Data polyfill tests for ruby 4.1 by @​nevans in ruby/net-imap#632

Full Changelog: ruby/net-imap@v0.5.13...v0.5.14

v0.5.13

What's Changed

... (truncated)

Commits

• 4063bc1 🔖 Bump version to 0.5.14
• f79d35b 🔀 Merge pull request #665 from ruby/backport/v0.5/STARTTLS-stripping
• b3ad198 🍒 pick 24d5c773d: 🔒🥅 Handle tagged "OK" to incomplete command [backport #664]
• 7a233c5 🍒 pick 62eea6ffe: 🔒🥅 Ensure STARTTLS tagged response was handled [backport #664]
• a530fa7 🍒 pick 46636cae8: ❌🔒 Add failing test for STARTTLS stripping [backport #664]
• 6bf02ae 🔀 Merge pull request #662 from ruby/backport/v0.5/raw_data-warnings
• fa478c5 🍒 pick be32e712e: 📚 Improve documentation of RawData arguments [backports #661]
• ca0ca5d 🍒 pick 47c72186d: 🐛 Validate RawData and wait to continue literals [backports...
• 3116c7d 🍒 pick 0ec4fd351: 🥅 Validate #setquota storage limit argument [backports #659]
• bbe901a 🍒 pick 0ea729c78: 📚 Update QUOTA rdoc, params, attrs to match RFCs [backports...
• Additional commits viewable in compare view

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud