From 9be0839b9be066c6d84928be5ddaaffdf480f504 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 21 Sep 2024 06:17:07 -0400 Subject: [PATCH 1/2] GHSA SYNC: 1 brand new and 1 modified advisory --- gems/google-protobuf/CVE-2024-7254.yml | 1 + gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 27 ++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml diff --git a/gems/google-protobuf/CVE-2024-7254.yml b/gems/google-protobuf/CVE-2024-7254.yml index 68f149fa19..ce6a06a19c 100644 --- a/gems/google-protobuf/CVE-2024-7254.yml +++ b/gems/google-protobuf/CVE-2024-7254.yml @@ -44,6 +44,7 @@ description: |+ * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2) +cvss_v3: 7.5 cvss_v4: 8.7 patched_versions: - "~> 3.25.5" diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml new file mode 100644 index 0000000000..9e31d14d31 --- /dev/null +++ b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml @@ -0,0 +1,27 @@ +--- +gem: omniauth-saml +ghsa: cvp8-5r8g-fhvq +url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 +title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature +date: 2024-09-11 +description: | + ruby-saml, the dependent SAML gem of omniauth-saml has a signature + wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see + https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 + + As a result, omniauth-saml created a + [new release](https://github.com/omniauth/omniauth-saml/releases) + by upgrading ruby-saml to the patched versions v1.17. +cvss_v3: 10.0 +patched_versions: + - "~> 1.10.5" + - "~> 2.1.2" + - ">= 2.2.1" +related: + url: + - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 + - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq + - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd + - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml + - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq From dd2485f49b5f19efb30beab10be0a9102a8fe3ea Mon Sep 17 00:00:00 2001 From: Postmodern Date: Sat, 21 Sep 2024 10:53:02 -0700 Subject: [PATCH 2/2] Removed duplicate gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml --- gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 27 ---------------------- 1 file changed, 27 deletions(-) delete mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml deleted file mode 100644 index 9e31d14d31..0000000000 --- a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -gem: omniauth-saml -ghsa: cvp8-5r8g-fhvq -url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 -title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature -date: 2024-09-11 -description: | - ruby-saml, the dependent SAML gem of omniauth-saml has a signature - wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 - - As a result, omniauth-saml created a - [new release](https://github.com/omniauth/omniauth-saml/releases) - by upgrading ruby-saml to the patched versions v1.17. -cvss_v3: 10.0 -patched_versions: - - "~> 1.10.5" - - "~> 2.1.2" - - ">= 2.2.1" -related: - url: - - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 - - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq - - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd - - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml - - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq