bundler-audit 0.5.0 → 0.6.0

data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml

@@ -7,86 +7,86 @@ url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
 
 title: Possible Information Leak Vulnerability in Action View
 description: |
-  There is a possible directory traversal and information leak vulnerability in 
-  Action View. This vulnerability has been assigned the CVE identifier 
-  CVE-2016-0752. 
-
-  Versions Affected:  All. 
-  Not affected:       None. 
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
-
-  Impact 
-  ------ 
-  Applications that pass unverified user input to the `render` method in a 
-  controller may be vulnerable to an information leak vulnerability. 
-
-  Impacted code will look something like this: 
-
-  ```ruby 
-  def index 
-    render params[:id] 
-  end 
-  ``` 
-
-  Carefully crafted requests can cause the above code to render files from 
-  unexpected places like outside the application's view directory, and can 
-  possibly escalate this to a remote code execution attack. 
-
-  All users running an affected release should either upgrade or use one of the 
-  workarounds immediately. 
-
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
-
-  Workarounds 
-  ----------- 
-  A workaround to this issue is to not pass arbitrary user input to the `render` 
-  method.  Instead, verify that data before passing it to the `render` method. 
-
-  For example, change this: 
-
-  ```ruby 
-  def index 
-    render params[:id] 
-  end 
-  ``` 
-
-  To this: 
-
-  ```ruby 
-  def index 
-    render verify_template(params[:id]) 
-  end 
-
-  private 
-  def verify_template(name) 
-    # add verification logic particular to your application here 
-  end 
-  ``` 
-
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches for 
-  the two supported release series. They are in git-am format and consist of a 
-  single changeset. 
-
-  * 3-2-render_data_leak.patch - Patch for 3.2 series 
-  * 4-1-render_data_leak.patch - Patch for 4.1 series 
-  * 4-2-render_data_leak.patch - Patch for 4.2 series 
-  * 5-0-render_data_leak.patch - Patch for 5.0 series 
-
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
-  of earlier unsupported releases are advised to upgrade as soon as possible as we 
-  cannot guarantee the continued availability of security fixes for unsupported 
-  releases. 
-
-  Credits 
-  ------- 
+  There is a possible directory traversal and information leak vulnerability in
+  Action View. This vulnerability has been assigned the CVE identifier
+  CVE-2016-0752.
+
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+  Impact
+  ------
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+
+  Impacted code will look something like this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+
+  Workarounds
+  -----------
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method.  Instead, verify that data before passing it to the `render` method.
+
+  For example, change this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  To this:
+
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+
+  * 3-2-render_data_leak.patch - Patch for 3.2 series
+  * 4-1-render_data_leak.patch - Patch for 4.1 series
+  * 4-2-render_data_leak.patch - Patch for 4.2 series
+  * 5-0-render_data_leak.patch - Patch for 5.0 series
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+
+  Credits
+  -------
   Thanks John Poulin for reporting this!
 
+# "~> 3.2.22.1" is found in gems/actionpack/CVE-2016-0752.yml
 patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
-  - "~> 3.2.22.1"
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml

@@ -0,0 +1,89 @@
+---
+gem: actionview
+framework: rails
+cve: 2016-2097
+date: 2016-02-29
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
+
+title: Possible Information Leak Vulnerability in Action View
+
+description: |
+
+  There is a possible directory traversal and information leak vulnerability 
+  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 
+  patch was not covering all the scenarios. This vulnerability has been 
+  assigned the CVE identifier CVE-2016-2097.
+
+  Versions Affected:  3.2.x, 4.0.x, 4.1.x
+  Not affected:       4.2+
+  Fixed Versions:     3.2.22.2, 4.1.14.2
+
+  Impact 
+  ------ 
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+
+  Impacted code will look something like this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method. Instead, verify that data before passing it to the `render` method.
+
+  For example, change this:
+
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+
+  To this:
+
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches 
+  for it. It is in git-am format and consist of a single changeset.
+
+  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
+  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
+
+  Credits 
+  ------- 
+  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
+  and working with us in the patch!
+
+unaffected_versions:
+  - ">= 4.2.0"
+
+# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
+patched_versions:
+  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml

@@ -0,0 +1,56 @@
+---
+gem: actionview
+framework: rails
+cve: 2016-6316
+date: 2016-08-11
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
+
+title: Possible XSS Vulnerability in Action View
+
+description: |
+  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
+  safe" will not have quotes escaped when used as attribute values in tag
+  helpers.
+
+  Impact
+  ------
+
+  Text declared as "HTML safe" when passed as an attribute value to a tag helper
+  will not have quotes escaped which can lead to an XSS attack.  Impacted code
+  looks something like this:
+
+  ```ruby
+  content_tag(:div, "hi", title: user_input.html_safe)
+  ```
+
+  Some helpers like the `sanitize` helper will automatically mark strings as
+  "HTML safe", so impacted code could also look something like this:
+
+  ```ruby
+  content_tag(:div, "hi", title: sanitize(user_input))
+  ```
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Workarounds
+  -----------
+  You can work around this issue by either *not* marking arbitrary user input as
+  safe, or by manually escaping quotes like this:
+
+  ```ruby
+  def escape_quotes(value)
+    value.gsub(/"/, '"'.freeze)
+  end
+
+  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
+  ```
+
+unaffected_versions:
+  - "< 3.0.0"
+
+# "~> 3.2.22.3" is found in gems/actionpack/CVE-2016-6316.yml
+patched_versions:
+  - "~> 4.2.7.1"
+  - "~> 4.2.8"
+  - ">= 5.0.0.1"

data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml

@@ -5,88 +5,88 @@ cve: 2016-0753
 date: 2016-01-25
 url: "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
 
-title: Possible Input Validation Circumvention in Active Model 
+title: Possible Input Validation Circumvention in Active Model
 
 description: |
-  There is a possible input validation circumvention vulnerability in Active 
-  Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. 
-
-  Versions Affected:  4.1.0 and newer 
-  Not affected:       4.0.13 and older 
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1 
-
-  Impact 
-  ------ 
-  Code that uses Active Model based models (including Active Record models) and 
-  does not validate user input before passing it to the model can be subject to 
-  an attack where specially crafted input will cause the model to skip 
-  validations. 
-
-  Vulnerable code will look something like this: 
-
-  ```ruby 
-  SomeModel.new(unverified_user_input) 
-  ``` 
-
-  Rails users using Strong Parameters are generally not impacted by this issue 
-  as they are encouraged to whitelist parameters and must specifically opt-out 
-  of input verification using the `permit!` method to allow mass assignment. 
-
-  For example, a vulnerable Rails application will have code that looks like 
-  this: 
-
-  ```ruby 
-  def create 
-    params.permit! # allow all parameters 
-    @user = User.new params[:users] 
-  end 
-  ``` 
-
-  Active Model and Active Record objects are not equipped to handle arbitrary 
-  user input.  It is up to the application to verify input before passing it to 
-  Active Model models.  Rails users already have Strong Parameters in place to 
-  handle white listing, but applications using Active Model and Active Record 
-  outside of a Rails environment may be impacted. 
-
-  All users running an affected release should either upgrade or use one of the 
-  workarounds immediately. 
-
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
-
-  Workarounds 
-  ----------- 
-  There are several workarounds depending on the application.  Inside a Rails 
-  application, stop using `permit!`.  Outside a Rails application, either use 
-  Hash#slice to select the parameters you need, or integrate Strong Parameters 
-  with your application. 
-
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches for 
-  the two supported release series. They are in git-am format and consist of a 
-  single changeset. 
-
-  * 4-1-validation_skip.patch - Patch for 4.1 series 
-  * 4-2-validation_skip.patch - Patch for 4.2 series 
-  * 5-0-validation_skip.patch - Patch for 5.0 series 
-
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
-  of earlier unsupported releases are advised to upgrade as soon as possible as we 
-  cannot guarantee the continued availability of security fixes for unsupported 
-  releases. 
-
-  Credits 
-  ------- 
-  Thanks to: 
-
-  [John Backus](https://github.com/backus) from BlockScore for reporting this! 
+  There is a possible input validation circumvention vulnerability in Active
+  Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.
+
+  Versions Affected:  4.1.0 and newer
+  Not affected:       4.0.13 and older
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1
+
+  Impact
+  ------
+  Code that uses Active Model based models (including Active Record models) and
+  does not validate user input before passing it to the model can be subject to
+  an attack where specially crafted input will cause the model to skip
+  validations.
+
+  Vulnerable code will look something like this:
+
+  ```ruby
+  SomeModel.new(unverified_user_input)
+  ```
+
+  Rails users using Strong Parameters are generally not impacted by this issue
+  as they are encouraged to whitelist parameters and must specifically opt-out
+  of input verification using the `permit!` method to allow mass assignment.
+
+  For example, a vulnerable Rails application will have code that looks like
+  this:
+
+  ```ruby
+  def create
+    params.permit! # allow all parameters
+    @user = User.new params[:users]
+  end
+  ```
+
+  Active Model and Active Record objects are not equipped to handle arbitrary
+  user input.  It is up to the application to verify input before passing it to
+  Active Model models.  Rails users already have Strong Parameters in place to
+  handle white listing, but applications using Active Model and Active Record
+  outside of a Rails environment may be impacted.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+
+  Workarounds
+  -----------
+  There are several workarounds depending on the application.  Inside a Rails
+  application, stop using `permit!`.  Outside a Rails application, either use
+  Hash#slice to select the parameters you need, or integrate Strong Parameters
+  with your application.
+
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+
+  * 4-1-validation_skip.patch - Patch for 4.1 series
+  * 4-2-validation_skip.patch - Patch for 4.2 series
+  * 5-0-validation_skip.patch - Patch for 5.0 series
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+
+  Credits
+  -------
+  Thanks to:
+
+  [John Backus](https://github.com/backus) from BlockScore for reporting this!
 
 unaffected_versions:
   - "<= 4.0.13"
 
 patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"