Updating advisories with osvdb.org in "url:" field (#613)

Author: jasnow

gems/RedCloth/CVE-2012-6684.yml

@@ -1,19 +1,27 @@
 ---
 gem: RedCloth
 cve: 2012-6684
+ghsa: r23g-3qw4-gfh2
 osvdb: 115941
 url: https://co3k.org/blog/redcloth-unfixed-xss-en
 title: "CVE-2012-6684 rubygem-RedCloth: XSS vulnerability"
 date: 2012-02-29
 description: |
-  'Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9
-  for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML
-  via a javascript: URI.'
+  Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9
+  for Ruby and earlier allows remote attackers to inject arbitrary
+  web script or HTML via a javascript: URI.
 cvss_v2: 4.3
 patched_versions:
-  - '>= 4.3.0'
+  - ">= 4.3.0"
 related:
   url:
-    - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c
+    - http://co3k.org/blog/redcloth-unfixed-xss-en
     - https://gist.github.com/co3k/75b3cb416c342aa1414c
+    - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c
+    - https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0
     - https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
+    - https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-6684
+    - https://github.com/advisories/GHSA-r23g-3qw4-gfh2
+    - http://seclists.org/fulldisclosure/2014/Dec/50
+    - http://www.debian.org/security/2015/dsa-3168

gems/activerecord-jdbc-adapter/OSVDB-114854.yml

@@ -2,7 +2,7 @@
 gem: activerecord-jdbc-adapter
 platform: jruby
 osvdb: 114854
-url: http://osvdb.org/show/osvdb/114854
+url: https://github.com/jruby/activerecord-jdbc-adapter/issues/322
 title:
   ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
   Function SQL Injection
@@ -15,6 +15,13 @@ description: |
   manipulate SQL queries in the back-end database, allowing for the
   manipulation or disclosure of arbitrary data.
 unaffected_versions:
-  - < 1.2.6
+  - "< 1.2.6"
 patched_versions:
-  - '>= 1.2.8'
+  - ">= 1.2.8"
+related:
+  url:
+    - https://github.com/jruby/activerecord-jdbc-adapter/issues/322
+    - https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb
+    - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076
+    - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8
+    - http://osvdb.org/show/osvdb/114854

gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml

@@ -1,7 +1,7 @@
 ---
 gem: activerecord-oracle_enhanced-adapter
 osvdb: 95376
-url: http://osvdb.org/show/osvdb/95376
+url: https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6
 title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
 date: 2008-10-10
 description: |
@@ -12,4 +12,9 @@ description: |
   queries in the back-end database, allowing for the manipulation or disclosure
   of arbitrary data.
 patched_versions:
-  - '>= 1.1.8'
+  - ">= 1.1.8"
+related:
+  url:
+    - https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6
+    - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDORACLEENHANCEDADAPTER-20006
+    - http://osvdb.org/show/osvdb/95376

gems/activeresource/OSVDB-95749.yml

@@ -1,9 +1,9 @@
 ---
 gem: activeresource
 osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function
-  Multiple Variable Format String
+url: https://my.diffend.io/gems/activeresource/versions/2.1.0
+title: activeresource Gem for Ruby lib/active_resource/connection.rb
+  request Function Multiple Variable Format String
 date: 2008-08-15
 description: |
   activeresource contains a format string flaw in the request function of
@@ -13,4 +13,9 @@ description: |
   allow a remote attacker to cause a denial of service or potentially execute
   arbitrary code.
 patched_versions:
-  - '>= 2.2.0'
+  - ">= 2.2.0"
+related:
+  url:
+    - https://my.diffend.io/gems/activeresource/versions/2.1.0
+    - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERESOURCE-20004
+    - http://osvdb.org/show/osvdb/95749

gems/as/OSVDB-112683.yml

@@ -1,10 +1,16 @@
 ---
 gem: as
 osvdb: 112683
-url: http://osvdb.org/show/osvdb/112683
+url: https://security.snyk.io/vuln/SNYK-RUBY-AS-20195
 title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure
 date: 2014-09-25
 description: |
   as Gem for Ruby contains a flaw that is due to the program displaying
   credential information in plaintext in the process list. This may
   allow a local attacker to gain access to credential information.
+notes: "Never patched"
+related:
+  url:
+    - https://security.snyk.io/vuln/SNYK-RUBY-AS-20195
+    - http://osvdb.org/show/osvdb/112683
+# FYI: rubygem.org Homepage is 404"

gems/auto_awesomplete/OSVDB-132800.yml

@@ -1,10 +1,17 @@
 ---
 gem: auto_awesomplete
 osvdb: 132800
-url: https://github.com/Tab10id/auto_awesomplete/issues/2
+url: https://www.openwall.com/lists/oss-security/2016/01/11/2
 title: auto_awesomplete Gem for Ruby allows arbitrary search execution
 date: 2016-01-08
 description: |
-  auto_awesomplete Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.
+  auto_awesomplete Gem for Ruby contains a flaw that is triggered
+  when handling the 'params[:default_class_name]' option. This
+  allows users to search any object of all given ActiveRecord classes.
+notes: "Never patched"
+related:
+  url:
+    - https://www.openwall.com/lists/oss-security/2016/01/11/2
+    - https://github.com/Tab10id/auto_awesomplete/issues/2
+    - https://github.com/rubysec/ruby-advisory-db/issues/224
+    - https://github.com/rubysec/ruby-advisory-db/pull/227

gems/auto_select2/OSVDB-132800.yml

@@ -1,12 +1,20 @@
 ---
 gem: auto_select2
 osvdb: 132800
-url: https://github.com/Loriowar/auto_select2/issues/4
+url: https://www.openwall.com/lists/oss-security/2016/01/11/2
 title: auto_select2 Gem for Ruby allows arbitrary search execution
 date: 2016-01-08
 description: |
-  auto_select2 Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.
+  auto_select2 Gem for Ruby contains a flaw that is triggered
+  when handling the 'params[:default_class_name]' option. This
+  allows users to search any object of all given ActiveRecord classes.
 patched_versions:
-  - '>= 0.5.0'
+  - ">= 0.5.0"
+related:
+  url:
+    - https://www.openwall.com/lists/oss-security/2016/01/11/2
+    - https://github.com/Loriowar/auto_select2/issues/4
+    - https://github.com/bkocherov/auto_select2/commit/c283ba5b2ad828c3b7414565ae66cd0d86f5a5df
+    - https://github.com/rubysec/ruby-advisory-db/issues/224
+    - https://github.com/rubysec/ruby-advisory-db/pull/227
+    - https://github.com/Tab10id/auto_awesomplete/issues/2

gems/backup_checksum/OSVDB-108570.yml

@@ -1,11 +1,18 @@
 ---
 gem: backup_checksum
 osvdb: 108570
-url: http://osvdb.org/show/osvdb/108570
-title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling
-  Remote Command Execution
+url: https://www.openwall.com/lists/oss-security/2014/07/07/12
+title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb
+  Metacharacter Handling Remote Command Execution
 date: 2014-06-30
 description: |
   backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
   that is triggered when handling metacharacters. This may allow a remote
   attacker to execute arbitrary commands.
+notes: "Never patched"
+related:
+  url:
+    - https://www.openwall.com/lists/oss-security/2014/07/07/12
+    - https://my.diffend.io/gems/backup_checksum/3.0.23
+    - https://github.com/backup/backup
+    - http://osvdb.org/show/osvdb/108570

gems/bcrypt-ruby/OSVDB-62067.yml

@@ -7,14 +7,24 @@ title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (J
   only)
 date: 2010-02-01
 description: |
+  In https://security.snyk.io/vuln/SNYK-RUBY-BCRYPT-20009, found
+  "The advisory has been revoked - it doesn't affect any version of package bcrypt"
+
   bcrypt-ruby Gem for Ruby suffered from a bug related to character
   encoding that substantially reduced the entropy of hashed passwords
   containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
+  transparently replaced such characters by '?' prior to hashing.
+  In the worst case of a password consisting solely of non-US-ASCII
+  characters, this would cause its hash to be equivalent to all other
+  such passwords of the same length.
+
+  This issue only affects the JRuby implementation.
 
   This gem has been renamed. Please use "bcrypt" from now on.
 patched_versions:
-  - '>= 2.1.4'
+  - ">= 2.1.4"
+related:
+  url:
+    - https://github.com/jeremyh/jBCrypt
+    - http://www.mindrot.org/files/jBCrypt/internat.adv
+    - https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/ext/jruby/bcrypt_jruby/BCrypt.java

gems/bcrypt/OSVDB-62067.yml

@@ -7,12 +7,22 @@ title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (J
   only)
 date: 2010-02-01
 description: |
+  In https://security.snyk.io/vuln/SNYK-RUBY-BCRYPT-20009, found
+  "The advisory has been revoked - it doesn't affect any version of package bcrypt"
+
   bcrypt-ruby Gem for Ruby suffered from a bug related to character
   encoding that substantially reduced the entropy of hashed passwords
   containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
+  transparently replaced such characters by '?' prior to hashing.
+  In the worst case of a password consisting solely of non-US-ASCII
+  characters, this would cause its hash to be equivalent to all other
+  such passwords of the same length.
+
+  This issue only affects the JRuby implementation.
 patched_versions:
-  - '>= 2.1.4'
+  - ">= 2.1.4"
+related:
+  url:
+    - https://github.com/jeremyh/jBCrypt
+    - http://www.mindrot.org/files/jBCrypt/internat.adv
+    - https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/ext/jruby/bcrypt_jruby/BCrypt.java