Source: ruby3.1
Version: 3.1.2-8.5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ruby3.1.

CVE-2025-25186[0]:
| Net::IMAP implements Internet Message Access Protocol (IMAP) client
| functionality in Ruby. Starting in version 0.3.2 and prior to
| versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial
| of service by memory exhaustion in `net-imap`'s response parser. At
| any time while the client is connected, a malicious server can send
| can send highly compressed `uid-set` data which is automatically
| read by the client's receiver thread. The response parser uses
| `Range#to_a` to convert the `uid-set` data into arrays of integers,
| with no limitation on the expanded size of the ranges. Versions
| 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details
| for proper configuration of fixed versions and backward
| compatibility are available in the GitHub Security Advisory.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-25186
https://www.cve.org/CVERecord?id=CVE-2025-25186

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)