Add advisories for CVE-2018-14042 and CVE-2014-3248 (#575)

* One brand new file: gems/bootstrap/CVE-2018-14042.yml
* Four advisories based on CVE-2014-3248 advisory

Author: jasnow

gems/bootstrap/CVE-2018-14042.yml

@@ -2,7 +2,7 @@
 gem: bootstrap
 cve: 2018-14042
 ghsa: 7mvr-5x2g-wfc8
-url: https://github.com/twbs/bootstrap/issues/26423
+url: https://github.com/twbs/bootstrap/issues/26428
 title: Bootstrap Cross-site Scripting vulnerability
 date: 2018-09-13
 description:

gems/facter/CVE-2014-3248.yml

@@ -0,0 +1,28 @@
+---
+gem: facter
+cve: 2014-3248
+ghsa: 92v7-pq4h-58j5
+url: https://github.com/advisories/GHSA-92v7-pq4h-58j5
+title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
+date: 2017-10-24
+description:
+  Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7,
+  Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera
+  before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier,
+  allows local users to gain privileges via a Trojan horse file in the current working
+  directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2)
+  Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so;
+  or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so
+  in puppet/confine.
+patched_versions:
+  - '~> 1.7.6'
+  - '>= 2.0.2'
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-3248
+    - https://github.com/advisories/GHSA-92v7-pq4h-58j5
+    - http://puppetlabs.com/security/cve/cve-2014-3248
+    - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
+    - http://secunia.com/advisories/59197
+    - http://secunia.com/advisories/59200
+    - http://www.securityfocus.com/bid/68035

gems/hiera/CVE-2014-3248.yml

@@ -0,0 +1,27 @@
+---
+gem: hiera
+cve: 2014-3248
+ghsa: 92v7-pq4h-58j5
+url: https://github.com/advisories/GHSA-92v7-pq4h-58j5
+title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
+date: 2017-10-24
+description:
+  Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7,
+  Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera
+  before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier,
+  allows local users to gain privileges via a Trojan horse file in the current working
+  directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2)
+  Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so;
+  or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so
+  in puppet/confine.
+patched_versions:
+  - '>= 1.3.4'
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-3248
+    - https://github.com/advisories/GHSA-92v7-pq4h-58j5
+    - http://puppetlabs.com/security/cve/cve-2014-3248
+    - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
+    - http://secunia.com/advisories/59197
+    - http://secunia.com/advisories/59200
+    - http://www.securityfocus.com/bid/68035

gems/mcollective-client/CVE-2014-3248.yml

@@ -0,0 +1,27 @@
+---
+gem: mcollective-client
+cve: 2014-3248
+ghsa: 92v7-pq4h-58j5
+url: https://github.com/advisories/GHSA-92v7-pq4h-58j5
+title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
+date: 2017-10-24
+description:
+  Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7,
+  Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera
+  before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier,
+  allows local users to gain privileges via a Trojan horse file in the current working
+  directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2)
+  Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so;
+  or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so
+  in puppet/confine.
+patched_versions:
+  - '>= 2.5.2'
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-3248
+    - https://github.com/advisories/GHSA-92v7-pq4h-58j5
+    - http://puppetlabs.com/security/cve/cve-2014-3248
+    - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
+    - http://secunia.com/advisories/59197
+    - http://secunia.com/advisories/59200
+    - http://www.securityfocus.com/bid/68035

gems/puppet/CVE-2014-3248.yml

@@ -0,0 +1,28 @@
+---
+gem: puppet
+cve: 2014-3248
+ghsa: 92v7-pq4h-58j5
+url: https://github.com/advisories/GHSA-92v7-pq4h-58j5
+title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
+date: 2017-10-24
+description:
+  Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7,
+  Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera
+  before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier,
+  allows local users to gain privileges via a Trojan horse file in the current working
+  directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2)
+  Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so;
+  or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so
+  in puppet/confine.
+patched_versions:
+  - '~> 2.7.26'
+  - '>= 3.6.2'
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-3248
+    - https://github.com/advisories/GHSA-92v7-pq4h-58j5
+    - http://puppetlabs.com/security/cve/cve-2014-3248
+    - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
+    - http://secunia.com/advisories/59197
+    - http://secunia.com/advisories/59200
+    - http://www.securityfocus.com/bid/68035