From c189ddea41a8c09bc81d6bf962665ceddf23b988 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:38:20 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20net-imap=200.5.12=20=E2=86=92?= =?UTF-8?q?=200.6.4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump clearing 5 CVEs (CVE-2026-42245/42246/42256/42257/42258: literal DoS, STARTTLS stripping, SCRAM DoS, command injection ×2). Not exposed: all require acting as an IMAP client. net-imap is autoloaded by mail only when retriever_method :imap is set; campfire configures no retriever and has no inbound email — net/imap is never required. Conservative update landed 0.6.4 (minor jump, dormant dep). Ruby floor raised to >= 3.2.0; campfire runs 3.4.5. 206 commits triaged, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-net-imap_v0.5.12..v0.6.4.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 075c181..73145d2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -224,7 +224,7 @@ GEM ruby2_keywords (~> 0.0.1) net-http-persistent (4.0.6) connection_pool (~> 2.2, >= 2.2.4) - net-imap (0.5.12) + net-imap (0.6.4) date net-protocol net-pop (0.1.2)