From d3403484b5442150ec6131276ce74cece6f93e56 Mon Sep 17 00:00:00 2001 From: Shia Date: Mon, 10 Feb 2025 20:21:47 +0900 Subject: [PATCH 1/4] cp {en,ko}/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md --- .../2025-02-11-dos-net-imap-cve-2025-25186.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md diff --git a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md new file mode 100644 index 0000000000..66b0d9a4fa --- /dev/null +++ b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md @@ -0,0 +1,29 @@ +--- +layout: news_post +title: "CVE-2025-25186: DoS vulnerability in net-imap" +author: "nevans" +translator: +date: 2025-02-11 03:00:00 +0000 +tags: security +lang: en +--- + +There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier [CVE-2025-25186](https://www.cve.org/CVERecord?id=CVE-2025-25186). We recommend upgrading the net-imap gem. + +## Details + +A malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges. + +Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later. + +## Affected versions + +* net-imap gem between 0.3.2 and 0.3.8, 0.4.0 and 0.4.19, or 0.5.0 and 0.5.6 + +## Credits + +Thanks to [manun](https://hackerone.com/manun) for discovering this issue. + +## History + +* Originally published at 2025-02-11 03:00:00 (UTC) From 062f7b27df1def1bfce3e5e40f18787acb5f543d Mon Sep 17 00:00:00 2001 From: Shia Date: Mon, 10 Feb 2025 20:28:32 +0900 Subject: [PATCH 2/4] Translate "CVE-2025-25186" (ko) --- .../2025-02-11-dos-net-imap-cve-2025-25186.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md index 66b0d9a4fa..cde1536c9f 100644 --- a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md +++ b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md @@ -1,29 +1,30 @@ --- layout: news_post -title: "CVE-2025-25186: DoS vulnerability in net-imap" +title: "CVE-2025-25186: net-imap의 DoS 취약점" author: "nevans" -translator: +translator: "shia" date: 2025-02-11 03:00:00 +0000 tags: security -lang: en +lang: ko --- -There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier [CVE-2025-25186](https://www.cve.org/CVERecord?id=CVE-2025-25186). We recommend upgrading the net-imap gem. +net-imap gem에서 DoS 취약점이 발견되었습니다. 이 취약점은 CVE 번호 [CVE-2025-25186](https://www.cve.org/CVERecord?id=CVE-2025-25186)로 등록되었습니다. net-imap gem을 업그레이드하기를 추천합니다. -## Details +## 세부 내용 A malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges. +악의적인 서버가 고도로 압축된 uid-set 데이터를 보낼 수 있으며, 클라이언트의 수신 스레드는 이 데이터를 자동으로 읽습니다. 응답 파서는 uid-set 데이터를 정수 배열로 변환하기 위해 Range#to_a를 사용하며, 이때 범위의 확장 크기에 대한 제한이 없습니다. -Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later. +net-imap gem을 0.3.8, 0.4.19, 또는 0.5.6으로 업데이트하세요. -## Affected versions +## 해당 버전 -* net-imap gem between 0.3.2 and 0.3.8, 0.4.0 and 0.4.19, or 0.5.0 and 0.5.6 +* net-imap gem 0.3.2부터 0.3.8까지, 0.4.0부터 0.4.19까지, 또는 0.5.0부터 0.5.6까지 -## Credits +## 도움을 준 사람 -Thanks to [manun](https://hackerone.com/manun) for discovering this issue. +이 문제를 발견해 준 [manun](https://hackerone.com/manun)에게 감사를 표합니다. -## History +## 수정 이력 -* Originally published at 2025-02-11 03:00:00 (UTC) +* 2025-02-11 03:00:00 (UTC) 최초 공개 From b12ba686b4d102d5b0c78ae83fbbecbc2aa26858 Mon Sep 17 00:00:00 2001 From: Shia Date: Tue, 11 Feb 2025 07:02:13 +0900 Subject: [PATCH 3/4] Update ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md Co-authored-by: Juanito Fatas --- ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md index cde1536c9f..ca5696bf8a 100644 --- a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md +++ b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md @@ -19,7 +19,7 @@ net-imap gem을 0.3.8, 0.4.19, 또는 0.5.6으로 업데이트하세요. ## 해당 버전 -* net-imap gem 0.3.2부터 0.3.8까지, 0.4.0부터 0.4.19까지, 또는 0.5.0부터 0.5.6까지 +* net-imap gem 0.3.2부터 0.3.7까지, 0.4.0부터 0.4.18까지, 또는 0.5.0부터 0.5.5까지 ## 도움을 준 사람 From 3e7ef7c9149b202f773e26c75f342dea5b2d6fce Mon Sep 17 00:00:00 2001 From: Shia Date: Tue, 11 Feb 2025 07:03:38 +0900 Subject: [PATCH 4/4] Remove origin text ;) --- ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md | 1 - 1 file changed, 1 deletion(-) diff --git a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md index ca5696bf8a..15c847df5e 100644 --- a/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md +++ b/ko/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md @@ -12,7 +12,6 @@ net-imap gem에서 DoS 취약점이 발견되었습니다. 이 취약점은 CVE ## 세부 내용 -A malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges. 악의적인 서버가 고도로 압축된 uid-set 데이터를 보낼 수 있으며, 클라이언트의 수신 스레드는 이 데이터를 자동으로 읽습니다. 응답 파서는 uid-set 데이터를 정수 배열로 변환하기 위해 Range#to_a를 사용하며, 이때 범위의 확장 크기에 대한 제한이 없습니다. net-imap gem을 0.3.8, 0.4.19, 또는 0.5.6으로 업데이트하세요.