|Description||An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
|Debian Bugs||990815, 1014818|
Vulnerable and fixed packages
The table below lists information on source packages.
|ruby2.5 (PTS)||buster, buster (security)||2.5.5-3+deb10u4||fixed|
|ruby2.7 (PTS)||bullseye (security), bullseye||2.7.4-1+deb11u1||fixed|
The information below is based on the following data on fixed versions.
[buster] - jruby <no-dsa> (Minor issue)
[stretch] - jruby <no-dsa> (Minor issue)