bundler-audit 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 679e11f046f11e432067d55398791fdbf03536b3
-  data.tar.gz: ad6bb67d40dae3ee0346ffe18caa11ee19e142e6
+  metadata.gz: eb1773e0d185dcc826b346744c13db1af6aaebab
+  data.tar.gz: 617a25945731a1f38563599b1fb715ff0f95a4d2
 SHA512:
-  metadata.gz: 48e2f1e83c0122d4629e4ddd02d448f90578527b40a1a0fccf331903413fbb2f3df7952399723914c0e0450f6682187af4301404b98bacc61ad794b5633a3023
-  data.tar.gz: 2c868a8106f74e45ffe9bcf02d1578d7326c4bea0a12baddf79ab7bd9dc059b599b39e0a41d167a0bc6d0bbbf01a8dc7e5f28a53849fea88a7214da400f5b52a
+  metadata.gz: 30ad678294da6ef14df9fac8b0d3bbcabaac517eb25c23a26efaeff8a9f01b34f458e3d10ef518ce720b9840362fce0506420064e56b15b1cfca724cae35dcc0
+  data.tar.gz: 7d4810f14c9bb158dba5a57fe5151dd9ff812c948c9919defbb291ee76a140def1e62ecaacd8daab3feb88e95a49fd0c1769c12269d301a6bd224f28b0f64bff

data/.gitignore

@@ -1,5 +1,8 @@
 Gemfile.lock
 doc/
+.yardoc/
 pkg/
 spec/bundle/*/Gemfile.lock
+spec/bundle/*/.bundle/
 vendor/bundle/
+tmp/

data/.travis.yml

@@ -2,3 +2,4 @@ rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
+  - 2.0.0

data/ChangeLog.md

@@ -1,3 +1,13 @@
+### 0.3.1 / 2014-04-20
+
+* Added thor ~> 0.18 as a dependency.
+* No longer rely on the vendored version of thor within bundler.
+* Store the timestamp of when `data/ruby-advisory-db` was last updated in
+  `data/ruby-advisory-db.ts`.
+* Use `data/ruby-advisory-db.ts` instead of the creation time of the
+  `dataruby-advisory-db` directory, which is always the install time
+  of the rubygem.
+
 ### 0.3.0 / 2013-10-31
 
 * Added {Bundler::Audit::Database.update!} which uses `git` to download

data/README.md

@@ -110,6 +110,8 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 ## Requirements
 
+* [RubyGems] >= 1.8
+* [thor] ~> 0.18
 * [bundler] ~> 1.2
 
 ## Install
@@ -118,7 +120,7 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 ## License
 
-Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -133,6 +135,8 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
+[RubyGems]: https://rubygems.org
+[thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [OSVDB]: http://osvdb.org/

data/Rakefile

@@ -19,6 +19,7 @@ rescue Bundler::BundlerError => e
 end
 
 require 'rake'
+require 'time'
 
 require 'rubygems/tasks'
 Gem::Tasks.new
@@ -26,11 +27,18 @@ Gem::Tasks.new
 namespace :db do
   desc 'Updates data/ruby-advisory-db'
   task :update do
+    timestamp = nil
+
     chdir 'data/ruby-advisory-db' do
       sh 'git', 'pull', 'origin', 'master'
+
+      File.open('../ruby-advisory-db.ts','w') do |file|
+        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+      end
     end
 
     sh 'git', 'commit', 'data/ruby-advisory-db',
+                        'data/ruby-advisory-db.ts',
                         '-m', 'Updated ruby-advisory-db'
   end
 end

data/data/ruby-advisory-db.ts

@@ -0,0 +1 @@
+2014-02-11 00:45:58 UTC

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -12,3 +12,12 @@ Thanks,
 * [Larry W. Cashdollar](http://vapid.dhs.org/)
 * [Michael Grosser](https://github.com/grosser)
 * [Sascha Korth](https://github.com/skorth)
+* [David Radcliffe](https://github.com/dwradcliffe)
+* [Jörg Schiller](https://github.com/joergschiller)
+* [Derek Prior](https://github.com/derekprior)
+* [Joel Chippindale](https://github.com/mocoso)
+* [Josef Šimánek](https://github.com/simi)
+* [Amiel Martin](https://github.com/amiel)
+* [Jeremy Olliver](https://github.com/jeremyolliver)
+* [Vasily Vasinov](https://github.com/vasinov)
+* [Phill MV](https://twitter.com/phillmv)

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml

@@ -0,0 +1,20 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6415
+osvdb: 100524
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
+title: XSS Vulnerability in number_to_currency
+date: 2013-12-03
+
+description: |
+  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
+  The number_to_currency helper allows users to nicely format a numeric value. One
+  of the parameters to the helper (unit) is not escaped correctly.  Applications
+  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml

@@ -0,0 +1,21 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6414
+osvdb: 100525
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
+title: Denial of Service Vulnerability in Action View
+date: 2013-12-03
+
+description: |
+  There is a denial of service vulnerability in the header handling component of 
+  Action View.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml

@@ -0,0 +1,27 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6416
+osvdb: 100526
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
+title: XSS Vulnerability in simple_format helper
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the simple_format helper in Ruby on Rails.
+  The simple_format helper converts user supplied text into html text 
+  which is intended to be safe for display. A change made to the 
+  implementation of this helper means that any user provided HTML 
+  attributes will not be escaped correctly. As a result of this error, 
+  applications which pass user-controlled data to be included as html 
+  attributes will be vulnerable to an XSS attack.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+  - ~> 3.1.0
+  - ~> 3.2.0
+
+patched_versions:
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6417
+osvdb: 100527
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
+title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
+date: 2013-12-03
+
+description: |
+  The prior fix to CVE-2013-0155 was incomplete and the use of common
+  3rd party libraries can accidentally circumvent the protection. Due
+  to the way that Rack::Request and Rails::Request interact, it is
+  possible for a 3rd party or custom rack middleware to parse the
+  parameters insecurely and store them in the same key that Rails uses
+  for its own parameters.  In the event that happens the application
+  will receive unsafe parameters and could be vulnerable to the earlier
+  vulnerability. 
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-4491
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: Reflective XSS Vulnerability in Ruby on Rails
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the internationalization component of Ruby on
+  Rails. Under certain common configurations an attacker can provide specially
+  crafted input which will execute a reflective XSS attack.
+  
+  The root cause of this issue is a vulnerability in the i18n gem which has
+  been assigned the identifier CVE-2013-4492.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0081
+osvdb: 103439
+url: http://osvdb.org/show/osvdb/103439
+title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the actionpack/lib/action_view/helpers/number_helper.rb
+  script does not validate input to the 'number_to_currency', 'number_to_percentage',
+  and 'number_to_human' helpers before returning it to users. This may allow a
+  remote attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.17
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0082
+osvdb: 103440
+url: http://osvdb.org/show/osvdb/103440
+title: Denial of Service Vulnerability in Action View when using render :text
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
+  in the text rendering component of Action View that is triggered when
+  handling MIME types that are converted to symbols. This may allow a
+  remote attacker to cause a denial of service.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 4.0.0
+
+patched_versions:
+  - ">= 3.2.17"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml

@@ -0,0 +1,23 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-0080
+osvdb: 103438
+url: http://osvdb.org/show/osvdb/103438
+title: Data Injection Vulnerability in Active Record
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
+  in Active Record. This issue may allow a remote attacker to inject data
+  into PostgreSQL array columns via a specially crafted string.
+
+cvss_v2: 
+
+unaffected_versions:
+  - "< 3.2.0"
+  - ~> 3.2.0
+
+patched_versions:
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml

@@ -0,0 +1,15 @@
+---
+gem: Arabic-Prawn
+osvdb: 104365
+url: http://osvdb.org/show/osvdb/104365
+title: Arabic-Prawn Gem for Ruby contains a flaw
+date: 2014-03-10
+
+description: |
+  Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
+  file. The issue is due to the program failing to sanitize user input. This may
+  allow a remote attacker to inject arbitrary commands.
+
+cvss_v2:
+
+patched_versions:

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml

@@ -8,8 +8,8 @@ date: 2013-10-22
 description: Cocaine Gem for Ruby contains a flaw that is due to the method
   of variable interpolation used by the program. With a specially crafted
   object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2:
+cvss_v2: 6.8
 unaffected_versions:
-  - ~> 0.3.0
+  - < 0.4.0
 patched_versions: 
   - '>= 0.5.3'

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml

@@ -10,7 +10,7 @@ description: |
   context-dependent attacker to potentially execute arbitrary code.
 date: 2013-01-09
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 
 patched_versions:
   - ">= 0.3.2"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml

@@ -8,5 +8,5 @@ date: 2013-03-12
 
 description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 

data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml

@@ -0,0 +1,11 @@
+---
+gem: echor
+osvdb: 102129
+url: http://osvdb.org/show/osvdb/102129
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request function that is triggered when
+  a semi-colon (;) is injected into a username or password. This may allow a context-dependent attacker to inject
+  arbitrary commands if the gem is used in a rails application.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml

@@ -0,0 +1,10 @@
+---
+gem: echor
+osvdb: 102130
+url: http://osvdb.org/show/osvdb/102130
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the
+  system process listing. This may allow a local attacker to gain access to plaintext credential information.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml

@@ -0,0 +1,14 @@
+---
+gem: gitlab-grit
+cve: 2013-4489
+osvdb: 99370
+url: http://www.osvdb.org/show/osvdb/99370
+title: GitLab Grit Gem for Ruby contains a flaw
+date: 2013-11-04
+description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
+  The issue is triggered when input passed via the code search box is not properly sanitized,
+  which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
+  execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - '>= 2.6.1'

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml

@@ -1,19 +1,14 @@
 ---
 gem: httparty
-cve: 2013-1802
+cve: 2013-1801
 osvdb: 90741
 url: http://osvdb.org/show/osvdb/90741
-title:
-  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
 date: 2013-01-14
-
 description: |
   httparty Gem for Ruby contains a flaw that is triggered when a type casting
   error occurs during the parsing of parameters. This may allow a
   context-dependent attacker to potentially execute arbitrary code.
-
-cvss_v2: 9.3
-
+cvss_v2: 7.5
 patched_versions:
   - ">= 0.10.0"
-

data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml

@@ -0,0 +1,17 @@
+---
+gem: i18n
+cve: 2013-4492
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: i18n missing translation error message XSS
+date: 2013-12-03
+
+description: |
+  The HTML exception message raised by I18n::MissingTranslation fails
+  to escape the keys.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 0.5.1
+  - '>= 0.6.6'

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml

@@ -0,0 +1,12 @@
+---
+gem: nokogiri
+cve: 2013-6460
+osvdb: 101179
+url: http://www.osvdb.org/show/osvdb/101179
+title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
+date: 2013-12-14
+description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"