An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "libruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-tcltk": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-dev-dbgsym": "2.3.1-2~ubuntu16.04.16+esm1", "libruby2.3-dbg": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-dev": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.16+esm1", "libruby2.3": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-tcltk-dbgsym": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3": "2.3.1-2~ubuntu16.04.16+esm1", "ruby2.3-doc": "2.3.1-2~ubuntu16.04.16+esm1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "ruby2.5": "2.5.1-1ubuntu1.10", "ruby2.5-dbgsym": "2.5.1-1ubuntu1.10", "libruby2.5": "2.5.1-1ubuntu1.10", "libruby2.5-dbgsym": "2.5.1-1ubuntu1.10", "ruby2.5-dev": "2.5.1-1ubuntu1.10", "ruby2.5-doc": "2.5.1-1ubuntu1.10" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "ruby2.7-doc": "2.7.0-5ubuntu1.5", "ruby2.7-dbgsym": "2.7.0-5ubuntu1.5", "ruby2.7": "2.7.0-5ubuntu1.5", "libruby2.7": "2.7.0-5ubuntu1.5", "libruby2.7-dbgsym": "2.7.0-5ubuntu1.5", "ruby2.7-dev": "2.7.0-5ubuntu1.5" } ] }