9 modified files from github_advisory_sync.rb script (2007-2011)

jasnow · postmodern · commit 74af852c5026 · 2023-04-18T11:18:17.000-07:00
diff --git a/gems/actionpack/CVE-2011-3186.yml b/gems/actionpack/CVE-2011-3186.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2011-3186
 osvdb: 74616
+ghsa: fcqf-h4h4-695m
 url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
 title: Response Splitting Vulnerability in Ruby on Rails
 date: 2011-08-16
@@ -12,4 +13,4 @@ description: |
   insufficient sanitization of the values provided for response content types.
 cvss_v2: 4.3
 patched_versions:
-- '>= 2.3.13'
+- ">= 2.3.13"
diff --git a/gems/gtk2/CVE-2007-6183.yml b/gems/gtk2/CVE-2007-6183.yml
@@ -2,13 +2,15 @@
 gem: gtk2
 cve: 2007-6183
 osvdb: 40774
+ghsa: xgj6-pgrm-x4r2
 url: https://nvd.nist.gov/vuln/detail/CVE-2007-6183
 title: 'CVE-2007-6183 ruby-gnome2: format string vulnerability'
 date: 2007-11-27
-description: Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c
+description: |
+  Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c
   in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows
   context-dependent attackers to execute arbitrary code via format string specifiers
   in the message parameter.
 cvss_v2: 6.8
 patched_versions:
-- '> 0.16.0'
+- "> 0.16.0"
diff --git a/gems/jruby-openssl/CVE-2009-4123.yml b/gems/jruby-openssl/CVE-2009-4123.yml
@@ -2,6 +2,7 @@
 gem: jruby-openssl
 platform: jruby
 cve: 2009-4123
+ghsa: xgv7-pqqh-h2w9
 url: http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl
 title: jruby-openssl Gem for JRuby fails to do proper certificate validation
 date: 2009-12-07
@@ -13,4 +14,4 @@ description: |
   also penetrate client-validated SSL server applications with a dummy
   certificate.
 patched_versions:
-- '>= 0.6'
+- ">= 0.6"
diff --git a/gems/mail/CVE-2011-0739.yml b/gems/mail/CVE-2011-0739.yml
@@ -2,8 +2,9 @@
 gem: mail
 cve: 2011-0739
 osvdb: 70667
+ghsa: cpjc-p7fc-j9xh
 url: https://nvd.nist.gov/vuln/detail/CVE-2011-0739
-title: >
+title: |
   Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
   Address Arbitrary Shell Command Injection
 date: 2011-01-25
@@ -15,4 +16,4 @@ description: |
   shell commands.
 cvss_v2: 6.8
 patched_versions:
-- '>= 2.2.15'
+- ">= 2.2.15"
diff --git a/gems/rack/CVE-2011-5036.yml b/gems/rack/CVE-2011-5036.yml
@@ -2,16 +2,18 @@
 gem: rack
 cve: 2011-5036
 osvdb: 78121
+ghsa: v6j3-7jrw-hq2p
 url: https://nvd.nist.gov/vuln/detail/CVE-2011-5036
 title: 'CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)'
 date: 2011-12-28
-description: Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes
+description: |
+  Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes
   hash values for form parameters without restricting the ability to trigger hash
   collisions predictably, which allows remote attackers to cause a denial of service
   (CPU consumption) by sending many crafted parameters.
 cvss_v2: 5.0
 patched_versions:
-- ~> 1.1.3
-- ~> 1.2.5
-- ~> 1.3.6
-- '>= 1.4.0'
+- "~> 1.1.3"
+- "~> 1.2.5"
+- "~> 1.3.6"
+- ">= 1.4.0"
diff --git a/gems/rubygems-update/CVE-2007-0469.yml b/gems/rubygems-update/CVE-2007-0469.yml
@@ -3,14 +3,15 @@ gem: rubygems-update
 library: rubygems
 cve: 2007-0469
 osvdb: 33561
+ghsa: 95vx-q4c2-64gr
 url: https://nvd.nist.gov/vuln/detail/CVE-2007-0469
-title: 'CVE-2007-0469 RubyGems: Specially-crafted Gem archive can overwrite system
-  files'
+title: 'CVE-2007-0469 RubyGems: Specially-crafted Gem archive can overwrite system files'
 date: 2007-01-22
-description: The extract_files function in installer.rb in RubyGems before 0.9.1 does
+description: |
+  The extract_files function in installer.rb in RubyGems before 0.9.1 does
   not check whether files exist before overwriting them, which allows user-assisted
   remote attackers to overwrite arbitrary files, cause a denial of service, or execute
   arbitrary code via crafted GEM packages.
 cvss_v2: 9.3
 patched_versions:
-- '>= 0.9.1'
+- ">= 0.9.1"
diff --git a/gems/spree/CVE-2008-7310.yml b/gems/spree/CVE-2008-7310.yml
@@ -2,13 +2,13 @@
 gem: spree
 cve: 2008-7310
 osvdb: 81505
+ghsa: 7h48-m3rw-vr27
 url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment
-title: |
-  Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation
+title: 'Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation'
 date: 2008-09-22
 description: |
   Spree contains a hash restriction weakness that occurs when parsing a
   modified URL. This may allow an attacker to manipulate order state values.
 cvss_v2: 5.0
 patched_versions:
-- '>= 0.3.0'
+- ">= 0.3.0"
diff --git a/gems/spree/CVE-2008-7311.yml b/gems/spree/CVE-2008-7311.yml
@@ -2,6 +2,7 @@
 gem: spree
 cve: 2008-7311
 osvdb: 81506
+ghsa: g466-57gh-cqfw
 url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
 title: |
   Spree Hardcoded config.action_controller_session Hash Value Cryptographic
@@ -13,4 +14,4 @@ description: |
   more easily bypass cryptographic protection.
 cvss_v2: 5.0
 patched_versions:
-- '>= 0.3.0'
+- ">= 0.3.0"
diff --git a/gems/spree/CVE-2010-3978.yml b/gems/spree/CVE-2010-3978.yml
@@ -2,6 +2,7 @@
 gem: spree
 cve: 2010-3978
 osvdb: 69098
+ghsa: hwrx-wc75-mgh7
 url: https://spreecommerce.com/blog/json-hijacking-vulnerability
 title: |
   Spree Multiple Script JSON Request Validation Weakness Remote Information
@@ -15,5 +16,5 @@ description: |
   user visits a crafted website.
 cvss_v2: 5.0
 patched_versions:
-- ~> 0.11.2
-- '>= 0.30.0'
+- "~> 0.11.2"
+- ">= 0.30.0"
