RubyGems - bundler-audit - Versions diffs - 0.5.0 → 0.8.0.rc1 - Mend

bundler-audit 0.5.0 → 0.8.0.rc1

Files changed (398) hide show

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml DELETED

@@ -1,55 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2015-7581
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE"
-title: Object leak vulnerability for wildcard controller routes in Action Pack
-description: |
-  There is an object leak vulnerability for wildcard controllers in Action Pack.
-  This vulnerability has been assigned the CVE identifier CVE-2015-7581.
-  Versions Affected:  >= 4.0.0 and < 5.0.0.beta1
-  Not affected:       < 4.0.0, 5.0.0.beta1 and newer
-  Fixed Versions:     4.2.5.1, 4.1.14.1
-  Impact
-  ------
-  Users that have a route that contains the string ":controller" are susceptible
-  to objects being leaked globally which can lead to unbounded memory growth.
-  To identify if your application is vulnerable, look for routes that contain
-  ":controller".
-  Internally, Action Pack keeps a map of "url controller name" to "controller
-  class name".  This map is cached globally, and is populated even if the
-  controller class doesn't actually exist.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  There are no feasible workarounds for this issue.
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.
-  * 4-1-wildcard_route.patch - Patch for 4.1 series
-  * 4-2-wildcard_route.patch - Patch for 4.2 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
-unaffected_versions:
-  - "< 4.0.0"
-  - ">= 5.0.0.beta1"
-patched_versions:
-  - "~> 4.2.5.1"
-  - "~> 4.1.14.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml DELETED

@@ -1,71 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2016-0751
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc"
-title: Possible Object Leak and Denial of Service attack in Action Pack
-description: |
-  There is a possible object leak which can lead to a denial of service
-  vulnerability in Action Pack. This vulnerability has been
-  assigned the CVE identifier CVE-2016-0751.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  A carefully crafted accept header can cause a global cache of mime types to
-  grow indefinitely which can lead to a possible denial of service attack in
-  Action Pack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  This attack can be mitigated by a proxy that only allows known mime types in
-  the Accept header.
-  Placing the following code in an initializer will also mitigate the issue:
-  ```ruby
-  require 'action_dispatch/http/mime_type'
-  Mime.const_set :LOOKUP, Hash.new { |h,k|
-    Mime::Type.new(k) unless k.blank?
-  }
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 5-0-mime_types_leak.patch - Patch for 5.0 series
-  * 4-2-mime_types_leak.patch - Patch for 4.2 series
-  * 4-1-mime_types_leak.patch - Patch for 4.1 series
-  * 3-2-mime_types_leak.patch - Patch for 3.2 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Aaron Patterson <3<3
-patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1"
-  - "~> 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6415
-osvdb: 100524
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
-title: XSS Vulnerability in number_to_currency
-date: 2013-12-03
-description: |
-  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
-  The number_to_currency helper allows users to nicely format a numeric value. One
-  of the parameters to the helper (unit) is not escaped correctly.  Applications
-  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6414
-osvdb: 100525
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
-title: Denial of Service Vulnerability in Action View
-date: 2013-12-03
-description: |
-  There is a denial of service vulnerability in the header handling component of
-  Action View.
-cvss_v2: 5.0
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml DELETED

@@ -1,27 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6416
-osvdb: 100526
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
-title: XSS Vulnerability in simple_format helper
-date: 2013-12-03
-description: |
-  There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text
-  which is intended to be safe for display. A change made to the
-  implementation of this helper means that any user provided HTML
-  attributes will not be escaped correctly. As a result of this error,
-  applications which pass user-controlled data to be included as html
-  attributes will be vulnerable to an XSS attack.
-cvss_v2: 4.3
-unaffected_versions:
-  - ~> 2.3.0
-  - ~> 3.1.0
-  - ~> 3.2.0
-patched_versions:
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6417
-osvdb: 100527
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
-title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
-date: 2013-12-03
-description: |
-  The prior fix to CVE-2013-0155 was incomplete and the use of common
-  3rd party libraries can accidentally circumvent the protection. Due
-  to the way that Rack::Request and Rails::Request interact, it is
-  possible for a 3rd party or custom rack middleware to parse the
-  parameters insecurely and store them in the same key that Rails uses
-  for its own parameters.  In the event that happens the application
-  will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-4491
-osvdb: 100528
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
-title: Reflective XSS Vulnerability in Ruby on Rails
-date: 2013-12-03
-description: |
-  There is a vulnerability in the internationalization component of Ruby on
-  Rails. Under certain common configurations an attacker can provide specially
-  crafted input which will execute a reflective XSS attack.
-  The root cause of this issue is a vulnerability in the i18n gem which has
-  been assigned the identifier CVE-2013-4492.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2014-0081
-osvdb: 103439
-url: http://osvdb.org/show/osvdb/103439
-title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
-date: 2014-02-18
-description: |
-  Ruby on Rails contains a flaw that allows a cross-site scripting (XSS) attack.
-  This flaw exists because the actionpack/lib/action_view/helpers/number_helper.rb
-  script does not validate input to the 'number_to_currency', 'number_to_percentage',
-  and 'number_to_human' helpers before returning it to users. This may allow a
-  remote attacker to create a specially crafted request that would execute arbitrary
-  script code in a user's browser session within the trust relationship between
-  their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.17
-  - ~> 4.0.3
-  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2014-0082
-osvdb: 103440
-url: http://osvdb.org/show/osvdb/103440
-title: Denial of Service Vulnerability in Action View when using render :text
-date: 2014-02-18
-description: |
-  Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
-  in the text rendering component of Action View that is triggered when
-  handling MIME types that are converted to symbols. This may allow a
-  remote attacker to cause a denial of service.
-cvss_v2: 5.0
-unaffected_versions:
-  - ~> 4.0.0
-patched_versions:
-  - ">= 3.2.17"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-74616.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2011-3186
-osvdb: 74616
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
-title: Response Splitting Vulnerability in Ruby on Rails
-date: 2011-08-16
-description: |
-  A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow
-  a remote attacker to inject arbitrary HTTP headers into a response due to
-  insufficient sanitization of the values provided for response content types.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.3.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-77199.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2011-4319
-osvdb: 77199
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
-title: XSS vulnerability in the translate helper method in Ruby on Rails
-date: 2011-11-17
-description: |
-  A cross-site scripting (XSS) flaw was found in the way the 'translate' helper
-  method of the Ruby on Rails performed HTML escaping of interpolated user
-  input, when interpolation in combination with HTML-safe translations were
-  used. A remote attacker could use this flaw to execute arbitrary HTML or web
-  script by providing a specially-crafted input to Ruby on Rails application,
-  using the ActionPack module and its 'translate' helper method without explicit
-  (application specific) sanitization of user provided input.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 3.0.11"
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2012-1099
-osvdb: 79727
-url: http://www.osvdb.org/show/osvdb/79727
-title:
-  Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
-  Manually Generated Select Tag Options XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the application does not validate manually
-  generated 'select tag options' upon submission to
-  actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a
-  user to create a specially crafted request that would execute arbitrary
-  script code in a user's browser within the trust relationship between their
-  browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml DELETED

@@ -1,28 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2012-3424
-osvdb: 84243
-url: http://www.osvdb.org/show/osvdb/84243
-title:
-  Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
-  with_http_digest Helper Method Remote DoS
-date: 2012-07-26
-description: |
-  Ruby on Rails contains a flaw that may allow a remote denial of service.
-  The issue is triggered when an error occurs in
-  actionpack/lib/action_controller/metal/http_authentication.rb when the
-  with_http_digest helper method is being used. This may allow a remote
-  attacker to cause a loss of availability for the program.
-cvss_v2: 5.0
-unaffected_versions:
-  - ">= 2.3.5, <= 2.3.14"
-patched_versions:
-  - ~> 3.0.16
-  - ~> 3.1.7
-  - ">= 3.2.7"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2012-3465
-osvdb: 84513
-url: http://www.osvdb.org/show/osvdb/84513
-title: Ruby on Rails strip_tags Helper Method XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the application does not validate input
-  passed via the 'strip_tags' helper method before returning it to the user.
-  This may allow a user to create a specially crafted request that would
-  execute arbitrary script code in a user's browser within the trust
-  relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2012-3463
-osvdb: 84515
-url: http://osvdb.org/84515
-title: Ruby on Rails select_tag Helper Method prompt Value XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because input passed via the prompt value is not
-  properly sanitized by the select_tag helper method before returning it to
-  the user. This may allow a user to create a specially crafted request that
-  would execute arbitrary script code in a user's browser within the trust
-  relationship between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"