Fix CVE-2026-42246: upgrade Ruby net-imap gem to >=0.6.4#1066
Conversation
Applies the established gem-fixup pattern to net-imap in the assemble, phylo, and mega images. The gem enters via mummer4 -> yaggo -> ruby (same chain that introduced the json and erb CVEs). Practical exploitability is near-zero (no IMAP connections are made), but the Rego policy correctly surfaces it due to AV:N + VC:H + VI:H. Closes #1065
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate CVE-2026-42246 by applying the repository’s established “default gem fixup” pattern to Ruby’s net-imap within the container build, across the assemble, phylo, and mega Docker images.
Changes:
- Document
net-imapas an additional post-install CVE fixup alongside existingjson/erbfixups. - Add removal + reinstall steps for
net-imap(installingnet-imap >= 0.6.4) in each Dockerfile’s existing “fixups”RUNlayer.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| docker/Dockerfile.assemble | Adds net-imap fixup steps (remove old gem artifacts, install >=0.6.4) during conda dependency install layer. |
| docker/Dockerfile.phylo | Adds net-imap fixup steps (remove old gem artifacts, install >=0.6.4) during conda dependency install layer. |
| docker/Dockerfile.mega | Adds net-imap fixup steps (remove old gem artifacts, install >=0.6.4) during conda dependency install layer. |
- Change -maxdepth 3 to -maxdepth 4 (net-imap gemspec is at depth 4) - Change specifications/default/ to specifications/ (net-imap is a regular gem, not a default gem) The original pattern was copied from json/erb fixes but net-imap has a different gem structure.
|
Thanks @copilot-pull-request-reviewer for catching those issues! Fixed in 7455255:
Verified these paths by inspecting the current main-assemble image. |
- Add pre-pull step to scan-containers job to avoid transient GHCR errors - Update actions/checkout v4→v5 (31 occurrences) - Update actions/upload-artifact v4→v6 (2 occurrences) - Update docker/login-action v3→v4 (6 occurrences) - Update docker/setup-buildx-action v3→v4 (1 occurrence) - Update github/codeql-action/upload-sarif v3→v4 (1 occurrence) - Pin aquasecurity/trivy-action master→v0.36.0 (4 occurrences) All changes address GitHub's Node.js 20→24 forced migration (June 2, 2026) and improve scan reliability + supply chain security.
Fixes #1065
Changes
Applies the established gem-fixup pattern (remove old default gem, install patched version) to
net-imapin three Dockerfiles:docker/Dockerfile.assembledocker/Dockerfile.phylodocker/Dockerfile.megaEach file now removes the vulnerable
net-imap0.6.2 default gem and installs>=0.6.4inline in the same RUN layer (so the vulnerable files never appear in a committed layer).Vulnerability Background
CVE-2026-42246: STARTTLS-stripping vulnerability where a MITM can cause
Net::IMAP#starttlsto return successfully without TLS being negotiated (CVSS 4.0 score 7.6 HIGH).The gem enters via the
mummer4 -> yaggo -> rubytransitive chain — the same chain that introduced CVE-2026-33210 (json) and CVE-2026-41316 (erb).Practical exploitability is near-zero (no IMAP connections are made in our pipelines), but the Rego policy correctly surfaces it because it has
AV:N + VC:H + VI:H(network-accessible with high confidentiality and integrity impact).Testing
CI will:
container-scan.yml(CVE-2026-42246 should no longer appear)Authored by Claude Sonnet 4.5 via Claude Code. Copilot review feedback addressed in commit 7455255.