Question about advisory

[manunio]

Hi @nevans sorry for creating this issue, forgot to ask this at advisory comments. Can you please clear a small doubt of mine. Now that the advisory has been published, will it be also published at https://www.ruby-lang.org/en/security/ too ?

[nevans]

I'd been thinking about opening up the GitHub Discussions tab for a while, and I did that when I published the GitHub releases. So I copied this over from issues to discussions. 🙂

Also, I didn't realize (or think through) that the discussion on the advisory would be locked after publishing! Oops!

The short answer is that I think it should be published at https://www.ruby-lang.org/en/security/. rexml is also a bundled gem and its advisories are published there. I don't know if that's automated or if I need to make a PR.

I had intended to check with @hsbt and @shugo what else needed to be done and if there was a checklist for this sort of thing I should follow. But then I forgot to do that before publishing. Sorry!

[manunio]

The short answer is that I think it should be published at https://www.ruby-lang.org/en/security/. rexml is also a bundled gem and its advisories are published there. I don't know if that's automated or if I need to make a PR.

Yes, I agree! 👍

[manunio]

I think a pull request similar to ruby/www.ruby-lang.org#3400 needs to be made, but not sure :)

[nevans]

Great. I've pushed a PR (ruby/www.ruby-lang.org#3489) and I copied your H1 profile from the rexml CVE for the credit. 🙂

[manunio]

Great. I've pushed a PR (ruby/www.ruby-lang.org#3489) and I copied your H1 profile from the rexml CVE for the credit. 🙂

Thanks for that :)

[hsbt]

@nevans Thank you for your work. I merged the announcement for CVE-2025-25186.

[nevans]

Because net-imap is a bundled gem (not a default gem), users should generally be bundling it, so they can easily get alerts and upgrade (and remove the default gem). Also I believe the scope is limited due to the nature of IMAP: reading emails is inherently sensitive so most users will only ever connect to trusted servers. And compromised servers generally will not want to notify users, so they will not DoS clients.

So I do not think this warrants any out-of-cycle ruby releases. Nor do I think it needs to be specifically called out in the ruby release announcement (at least one of rexmls CVEs was in the ruby release announcement, but many are only listed in the automated GitHub release notes). But, I would like to see the fix in the next ruby releases.

@hsbt, if there are any PRs that need to be made (for 3.4, 3.3, 3.2, or the website), I'll try to do that over the next few days.

[nevans]

@hsbt since stable ruby releases have bundled x.y.z.patch releases of net-imap, should I create minimal patch releases for them:

• ruby 3.2.7 bundles net-imap v0.3.4.1:
  use v0.3.8 or create v0.3.4.2?
• ruby 3.3.7 bundles net-imap v0.4.9.1:
  use v0.4.19 or create v0.4.9.2?
• ruby 3.4.1 bundles net-imap v0.5.4:
  use v0.5.6 or create v0.5.4.1?

In all cases, I should be able to cherry-pick only the backward-compatible change that imposes a limit on maximum size.

[nevans]

Especially in the case of ruby 3.4 and net-imap 0.5, I would prefer to move forward to 0.5.6. But this does contain both bugfixes and new features. So if the ruby 3.4 policy for bundled gems is a strict feature freeze, then I'll need to make 0.5.4.1.

[hsbt]

net-imap 0.3.8, 0.4.19 and 0.5.6 are enough for the next stable release. Could you submit a pull request like ruby/ruby#12699 to ruby_3_2, ruby_3_3 and ruby_3_4?

[nevans]

@hsbt Thanks! Should I make a bugs.ruby-lang.org ticket too?

• Bump net-imap to v0.5.6 for Ruby 3.4 (CVE-2025-25186) ruby#12731
• Bump net-imap to 0.4.19 for Ruby 3.3 (CVE-2025-25186) ruby#12732
• Bump net-imap to 0.3.8 for Ruby 3.2 (CVE-2025-25186) ruby#12733

[hsbt]

@hsbt Thanks! Should I make a bugs.ruby-lang.org ticket too?

Yes, bugs.ruby-lang.org is the first place for backport request like https://bugs.ruby-lang.org/issues/21113

[nevans]

@hsbt Thanks. I've done that now too: https://bugs.ruby-lang.org/issues/21130