17 GHSA=>RAD sync'ed files

Author: jasnow

gems/actionpack/CVE-2012-1099.yml

@@ -3,15 +3,17 @@ gem: actionpack
 framework: rails
 cve: 2012-1099
 osvdb: 79727
+ghsa: 2xjj-5x6h-8vmf
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-1099
-title: "CVE-2012-1099 rubygem-actionpack: XSS in the 'select' helper"
+title: 'CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper'
 date: 2012-03-01
-description: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb
+description: |
+  Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb
   in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and
   3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML
   via vectors involving certain generation of OPTION elements within SELECT elements.
 cvss_v2: 4.3
 patched_versions:
-- ~> 3.0.12
-- ~> 3.1.4
-- '>= 3.2.2'
+- "~> 3.0.12"
+- "~> 3.1.4"
+- ">= 3.2.2"

gems/actionpack/CVE-2012-3424.yml

@@ -3,18 +3,20 @@ gem: actionpack
 framework: rails
 cve: 2012-3424
 osvdb: 84243
+ghsa: 92w9-2pqw-rhjj
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-3424
 title: 'CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest'
 date: 2012-07-26
-description: The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb
+description: |
+  The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb
   in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts
   Digest Authentication strings to symbols, which allows remote attackers to cause
   a denial of service by leveraging access to an application that uses a with_http_digest
   helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
 cvss_v2: 5.0
 unaffected_versions:
-- '>= 2.3.5, <= 2.3.14'
+- ">= 2.3.5, <= 2.3.14"
 patched_versions:
-- ~> 3.0.16
-- ~> 3.1.7
-- '>= 3.2.7'
+- "~> 3.0.16"
+- "~> 3.1.7"
+- ">= 3.2.7"

gems/actionpack/CVE-2012-3463.yml

@@ -3,18 +3,20 @@ gem: actionpack
 framework: rails
 cve: 2012-3463
 osvdb: 84515
+ghsa: 98mf-8f57-64qf
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-3463
 title: 'CVE-2012-3463 rubygem-actionpack: potential XSS vulnerability in select_tag
   prompt'
 date: 2012-08-09
-description: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb
+description: |
+  Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb
   in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows
   remote attackers to inject arbitrary web script or HTML via the prompt field to
   the select_tag helper.
 cvss_v2: 4.3
 unaffected_versions:
-- ~> 2.3.0
+- "~> 2.3.0"
 patched_versions:
-- ~> 3.0.17
-- ~> 3.1.8
-- '>= 3.2.8'
+- "~> 3.0.17"
+- "~> 3.1.8"
+- ">= 3.2.8"

gems/actionpack/CVE-2012-3465.yml

@@ -3,15 +3,17 @@ gem: actionpack
 framework: rails
 cve: 2012-3465
 osvdb: 84513
+ghsa: 7g65-ghrg-hpf5
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-3465
 title: 'CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags'
 date: 2012-08-09
-description: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb
+description: |
+  Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb
   in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and
   3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML
   via malformed HTML markup.
 cvss_v2: 4.3
 patched_versions:
-- ~> 3.0.17
-- ~> 3.1.8
-- '>= 3.2.8'
+- "~> 3.0.17"
+- "~> 3.1.8"
+- ">= 3.2.8"

gems/activerecord/CVE-2012-2661.yml

@@ -3,19 +3,21 @@ gem: activerecord
 framework: rails
 cve: 2012-2661
 osvdb: 82403
+ghsa: fh39-v733-mxfr
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-2661
 title: 'CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query
   paramaters'
 date: 2012-05-31
-description: The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x
+description: |
+  The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x
   before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of
   request data to a where method in an ActiveRecord class, which allows remote attackers
   to conduct certain SQL injection attacks via nested query parameters that leverage
   unintended recursion, a related issue to CVE-2012-2695.
 cvss_v2: 5.0
 unaffected_versions:
-- ~> 2.3.14
+- "~> 2.3.14"
 patched_versions:
-- ~> 3.0.13
-- ~> 3.1.5
-- '>= 3.2.4'
+- "~> 3.0.13"
+- "~> 3.1.5"
+- ">= 3.2.4"

gems/activerecord/CVE-2012-6496.yml

@@ -3,6 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2012-6496
 osvdb: 88661
+ghsa: gh2w-j7cx-2664
 url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
 title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
 date: 2012-12-22
@@ -12,6 +13,6 @@ description: |
   crafted requests can use the scope to inject arbitrary SQL.
 cvss_v2: 6.4
 patched_versions:
-- ~> 3.0.18
-- ~> 3.1.9
-- '>= 3.2.10'
+- "~> 3.0.18"
+- "~> 3.1.9"
+- ">= 3.2.10"

gems/activesupport/CVE-2012-1098.yml

@@ -3,18 +3,20 @@ gem: activesupport
 framework: rails
 cve: 2012-1098
 osvdb: 79726
+ghsa: qv8p-v9qw-wc7g
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098
 title: 'CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe
   buffers can be marked as safe)'
 date: 2012-03-01
-description: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before
+description: |
+  Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before
   3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject
   arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated
   through certain methods.
 cvss_v2: 4.3
 unaffected_versions:
-- < 3.0.0
+- "< 3.0.0"
 patched_versions:
-- ~> 3.0.12
-- ~> 3.1.4
-- '>= 3.2.2'
+- "~> 3.0.12"
+- "~> 3.1.4"
+- ">= 3.2.2"

gems/activesupport/CVE-2012-3464.yml

@@ -3,15 +3,17 @@ gem: activesupport
 framework: rails
 cve: 2012-3464
 osvdb: 84516
+ghsa: h835-75hw-pj89
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464
 title: 'CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability'
 date: 2012-08-09
-description: Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb
+description: |
+  Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb
   in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might
   allow remote attackers to inject arbitrary web script or HTML via vectors involving
   a ' (quote) character.
 cvss_v2: 4.3
 patched_versions:
-- ~> 3.0.17
-- ~> 3.1.8
-- '>= 3.2.8'
+- "~> 3.0.17"
+- "~> 3.1.8"
+- ">= 3.2.8"

gems/authlogic/CVE-2012-6497.yml

@@ -2,6 +2,7 @@
 gem: authlogic
 cve: 2012-6497
 osvdb: 89064
+ghsa: rx7j-mw4c-76g9
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-6497
 title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness
 date: 2012-12-21
@@ -12,4 +13,4 @@ description: |
   secret_token.rb, a remote attacker to more easily conduct SQL injection
   attacks.
 patched_versions:
-- '>= 3.3.0'
+- ">= 3.3.0"

gems/ldap_fluff/CVE-2012-5604.yml

@@ -2,13 +2,15 @@
 gem: ldap_fluff
 cve: 2012-5604
 osvdb: 90579
+ghsa: 9whh-582r-589h
 url: https://nvd.nist.gov/vuln/detail/CVE-2012-5604
 title: 'CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when handling
   anonymous LDAP bind'
 date: 2012-12-04
-description: The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when
+description: |
+  The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when
   using Active Directory for authentication, allows remote attackers to bypass authentication
   via unspecified vectors.
 cvss_v2: 5.0
 patched_versions:
-- '>= 0.1.3'
+- ">= 0.1.3"