bundler-audit 0.5.0 → 0.6.0

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml

@@ -51,5 +51,5 @@ unaffected_versions:
   - ">= 5.0.0.beta1"
 
 patched_versions:
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml

@@ -8,64 +8,64 @@ url: "https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc"
 title: Possible Object Leak and Denial of Service attack in Action Pack
 
 description: |
-  There is a possible object leak which can lead to a denial of service 
-  vulnerability in Action Pack. This vulnerability has been 
-  assigned the CVE identifier CVE-2016-0751. 
+  There is a possible object leak which can lead to a denial of service
+  vulnerability in Action Pack. This vulnerability has been
+  assigned the CVE identifier CVE-2016-0751.
 
-  Versions Affected:  All. 
-  Not affected:       None. 
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
 
-  Impact 
-  ------ 
-  A carefully crafted accept header can cause a global cache of mime types to 
-  grow indefinitely which can lead to a possible denial of service attack in 
-  Action Pack. 
+  Impact
+  ------
+  A carefully crafted accept header can cause a global cache of mime types to
+  grow indefinitely which can lead to a possible denial of service attack in
+  Action Pack.
 
-  All users running an affected release should either upgrade or use one of the 
-  workarounds immediately. 
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
 
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
 
-  Workarounds 
-  ----------- 
-  This attack can be mitigated by a proxy that only allows known mime types in 
-  the Accept header. 
+  Workarounds
+  -----------
+  This attack can be mitigated by a proxy that only allows known mime types in
+  the Accept header.
 
-  Placing the following code in an initializer will also mitigate the issue: 
+  Placing the following code in an initializer will also mitigate the issue:
 
-  ```ruby 
-  require 'action_dispatch/http/mime_type' 
+  ```ruby
+  require 'action_dispatch/http/mime_type'
 
-  Mime.const_set :LOOKUP, Hash.new { |h,k| 
-    Mime::Type.new(k) unless k.blank? 
-  } 
-  ``` 
+  Mime.const_set :LOOKUP, Hash.new { |h,k|
+    Mime::Type.new(k) unless k.blank?
+  }
+  ```
 
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches for 
-  the two supported release series. They are in git-am format and consist of a 
-  single changeset. 
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
 
-  * 5-0-mime_types_leak.patch - Patch for 5.0 series 
-  * 4-2-mime_types_leak.patch - Patch for 4.2 series 
-  * 4-1-mime_types_leak.patch - Patch for 4.1 series 
-  * 3-2-mime_types_leak.patch - Patch for 3.2 series 
+  * 5-0-mime_types_leak.patch - Patch for 5.0 series
+  * 4-2-mime_types_leak.patch - Patch for 4.2 series
+  * 4-1-mime_types_leak.patch - Patch for 4.1 series
+  * 3-2-mime_types_leak.patch - Patch for 3.2 series
 
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
-  of earlier unsupported releases are advised to upgrade as soon as possible as we 
-  cannot guarantee the continued availability of security fixes for unsupported 
-  releases. 
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
 
-  Credits 
-  ------- 
+  Credits
+  -------
   Aaron Patterson <3<3
 
 patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml

@@ -0,0 +1,96 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-0752
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
+
+title: Possible Information Leak Vulnerability in Action View
+description: |
+  There is a possible directory traversal and information leak vulnerability in
+  Action View. This vulnerability has been assigned the CVE identifier
+  CVE-2016-0752.
+
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+  Impact
+  ------
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+
+  Impacted code will look something like this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+
+  Workarounds
+  -----------
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method.  Instead, verify that data before passing it to the `render` method.
+
+  For example, change this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  To this:
+
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+
+  * 3-2-render_data_leak.patch - Patch for 3.2 series
+  * 4-1-render_data_leak.patch - Patch for 4.1 series
+  * 4-2-render_data_leak.patch - Patch for 4.2 series
+  * 5-0-render_data_leak.patch - Patch for 5.0 series
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+
+  Credits
+  -------
+  Thanks John Poulin for reporting this!
+
+unaffected_versions:
+  # Newer versions are affected, but tracked in the actionview gem.
+  - ">= 4.1.0"
+
+patched_versions:
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
+  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml

@@ -0,0 +1,90 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-2097
+date: 2016-02-29
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
+
+title: Possible Information Leak Vulnerability in Action View
+
+description: |
+
+  There is a possible directory traversal and information leak vulnerability 
+  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 
+  patch was not covering all the scenarios. This vulnerability has been 
+  assigned the CVE identifier CVE-2016-2097.
+
+  Versions Affected:  3.2.x, 4.0.x, 4.1.x
+  Not affected:       4.2+
+  Fixed Versions:     3.2.22.2, 4.1.14.2
+
+  Impact 
+  ------ 
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+
+  Impacted code will look something like this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method. Instead, verify that data before passing it to the `render` method.
+
+  For example, change this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  To this:
+
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches 
+  for it. It is in git-am format and consist of a single changeset.
+
+  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
+  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
+
+  Credits 
+  ------- 
+  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
+  and working with us in the patch!
+
+unaffected_versions:
+  # Newer versions are affected, but tracked in the actionview gem.
+  - ">= 4.1.0"
+
+patched_versions:
+  - "~> 3.2.22.2"
+  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml

@@ -0,0 +1,89 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-2098
+date: 2016-02-29
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q"
+
+title: Possible remote code execution vulnerability in Action Pack
+
+description: |
+  There is a possible remote code execution vulnerability in Action Pack.
+  This vulnerability has been assigned the CVE identifier CVE-2016-2098.
+
+  Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
+  Not affected:       5.0+
+  Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
+
+  Impact 
+  ------ 
+  Applications that pass unverified user input to the `render` method in a
+  controller or a view may be vulnerable to a code injection.
+
+  Impacted code will look like this:
+
+  ```ruby
+  class TestController < ApplicationController
+    def show
+      render params[:id]
+    end
+  end
+  ```
+
+  An attacker could use the request parameters to coerce the above example
+  to execute arbitrary ruby code.
+
+  All users running an affected release should either upgrade or use one of 
+  the workarounds immediately.
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations.
+
+  Workarounds 
+  ----------- 
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method. Instead, verify that data before passing it to the `render` method.
+
+  For example, change this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  To this:
+
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided a 
+  patch for it. It is in git-am format and consist of a single changeset.
+
+  * 3-2-secure_inline_with_params.patch - Patch for 3.2 series
+  * 4-1-secure_inline_with_params.patch - Patch for 4.1 series
+  * 4-2-secure_inline_with_params.patch - Patch for 4.2 series
+
+  Credits 
+  ------- 
+  Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for 
+  reporting this!
+
+unaffected_versions:
+  - ">= 5.0.0.beta1"
+
+patched_versions:
+  - "~> 3.2.22.2"
+  - "~> 4.2.5, >= 4.2.5.2"
+  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml

@@ -0,0 +1,57 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-6316
+date: 2016-08-11
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
+
+title: Possible XSS Vulnerability in Action View
+
+description: |
+  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
+  safe" will not have quotes escaped when used as attribute values in tag
+  helpers.
+
+  Impact
+  ------
+
+  Text declared as "HTML safe" when passed as an attribute value to a tag helper
+  will not have quotes escaped which can lead to an XSS attack.  Impacted code
+  looks something like this:
+
+  ```ruby
+  content_tag(:div, "hi", title: user_input.html_safe)
+  ```
+
+  Some helpers like the `sanitize` helper will automatically mark strings as
+  "HTML safe", so impacted code could also look something like this:
+
+  ```ruby
+  content_tag(:div, "hi", title: sanitize(user_input))
+  ```
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Workarounds
+  -----------
+  You can work around this issue by either *not* marking arbitrary user input as
+  safe, or by manually escaping quotes like this:
+
+  ```ruby
+  def escape_quotes(value)
+    value.gsub(/"/, '"'.freeze)
+  end
+
+  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
+  ```
+
+unaffected_versions:
+  - "< 3.0.0"
+  # Newer versions are affected, but tracked in the actionview gem.
+  - ">= 4.1.0"
+
+patched_versions:
+  - ~> 3.2.22.3
+  - ~> 4.2.7.1
+  - ">= 5.0.0.1"