bundler-audit 0.6.1 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (391) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +0 -1
  3. data/.travis.yml +3 -2
  4. data/ChangeLog.md +12 -0
  5. data/README.md +11 -11
  6. data/Rakefile +11 -9
  7. data/data/ruby-advisory-db.ts +1 -1
  8. data/gemspec.yml +1 -1
  9. data/lib/bundler/audit.rb +1 -1
  10. data/lib/bundler/audit/advisory.rb +47 -7
  11. data/lib/bundler/audit/cli.rb +15 -7
  12. data/lib/bundler/audit/database.rb +14 -5
  13. data/lib/bundler/audit/scanner.rb +5 -5
  14. data/lib/bundler/audit/version.rb +2 -2
  15. data/spec/advisory_spec.rb +112 -6
  16. data/spec/bundle/secure/Gemfile +1 -0
  17. data/spec/bundle/unpatched_gems/Gemfile +1 -1
  18. data/spec/cli_spec.rb +27 -0
  19. data/spec/database_spec.rb +40 -14
  20. data/spec/integration_spec.rb +3 -3
  21. data/spec/scanner_spec.rb +4 -3
  22. data/spec/spec_helper.rb +1 -13
  23. metadata +14 -375
  24. data/data/ruby-advisory-db/.gitignore +0 -1
  25. data/data/ruby-advisory-db/.rspec +0 -1
  26. data/data/ruby-advisory-db/.travis.yml +0 -12
  27. data/data/ruby-advisory-db/CONTRIBUTING.md +0 -69
  28. data/data/ruby-advisory-db/CONTRIBUTORS.md +0 -40
  29. data/data/ruby-advisory-db/Gemfile +0 -9
  30. data/data/ruby-advisory-db/LICENSE.txt +0 -5
  31. data/data/ruby-advisory-db/README.md +0 -99
  32. data/data/ruby-advisory-db/Rakefile +0 -26
  33. data/data/ruby-advisory-db/gems/Arabic-Prawn/OSVDB-104365.yml +0 -12
  34. data/data/ruby-advisory-db/gems/RedCloth/CVE-2012-6684.yml +0 -21
  35. data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4995.yml +0 -13
  36. data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4996.yml +0 -13
  37. data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml +0 -17
  38. data/data/ruby-advisory-db/gems/actionpack/CVE-2014-0130.yml +0 -23
  39. data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7818.yml +0 -24
  40. data/data/ruby-advisory-db/gems/actionpack/CVE-2014-7829.yml +0 -26
  41. data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml +0 -116
  42. data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml +0 -55
  43. data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml +0 -71
  44. data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml +0 -96
  45. data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml +0 -90
  46. data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml +0 -89
  47. data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml +0 -57
  48. data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +0 -20
  49. data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +0 -21
  50. data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +0 -27
  51. data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +0 -24
  52. data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +0 -22
  53. data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +0 -24
  54. data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +0 -22
  55. data/data/ruby-advisory-db/gems/actionpack/OSVDB-74616.yml +0 -18
  56. data/data/ruby-advisory-db/gems/actionpack/OSVDB-77199.yml +0 -23
  57. data/data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml +0 -26
  58. data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml +0 -28
  59. data/data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml +0 -23
  60. data/data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml +0 -26
  61. data/data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml +0 -24
  62. data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml +0 -20
  63. data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml +0 -23
  64. data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml +0 -92
  65. data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml +0 -89
  66. data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml +0 -56
  67. data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml +0 -92
  68. data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml +0 -20
  69. data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml +0 -15
  70. data/data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml +0 -23
  71. data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml +0 -107
  72. data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml +0 -73
  73. data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +0 -23
  74. data/data/ruby-advisory-db/gems/activerecord/OSVDB-108664.yml +0 -23
  75. data/data/ruby-advisory-db/gems/activerecord/OSVDB-108665.yml +0 -24
  76. data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml +0 -25
  77. data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml +0 -24
  78. data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml +0 -20
  79. data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml +0 -24
  80. data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml +0 -21
  81. data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml +0 -23
  82. data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml +0 -26
  83. data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml +0 -15
  84. data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml +0 -54
  85. data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml +0 -32
  86. data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml +0 -26
  87. data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml +0 -23
  88. data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml +0 -25
  89. data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml +0 -28
  90. data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml +0 -14
  91. data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml +0 -10
  92. data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml +0 -16
  93. data/data/ruby-advisory-db/gems/as/OSVDB-112683.yml +0 -10
  94. data/data/ruby-advisory-db/gems/authlogic/OSVDB-89064.yml +0 -15
  95. data/data/ruby-advisory-db/gems/auto_awesomplete/OSVDB-132800.yml +0 -11
  96. data/data/ruby-advisory-db/gems/auto_select2/OSVDB-132800.yml +0 -13
  97. data/data/ruby-advisory-db/gems/awesome_spawn/CVE-2014-0156.yml +0 -19
  98. data/data/ruby-advisory-db/gems/backup-agoddard/OSVDB-108578.yml +0 -8
  99. data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108569.yml +0 -12
  100. data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108570.yml +0 -10
  101. data/data/ruby-advisory-db/gems/bcrypt-ruby/OSVDB-62067.yml +0 -19
  102. data/data/ruby-advisory-db/gems/bcrypt/OSVDB-62067.yml +0 -17
  103. data/data/ruby-advisory-db/gems/bio-basespace-sdk/OSVDB-101031.yml +0 -8
  104. data/data/ruby-advisory-db/gems/brbackup/OSVDB-108899.yml +0 -12
  105. data/data/ruby-advisory-db/gems/brbackup/OSVDB-108900.yml +0 -11
  106. data/data/ruby-advisory-db/gems/brbackup/OSVDB-108901.yml +0 -11
  107. data/data/ruby-advisory-db/gems/bson/CVE-2015-4412.yml +0 -16
  108. data/data/ruby-advisory-db/gems/builder/OSVDB-95668.yml +0 -13
  109. data/data/ruby-advisory-db/gems/bundler/OSVDB-110004.yml +0 -15
  110. data/data/ruby-advisory-db/gems/bundler/OSVDB-115090.yml +0 -13
  111. data/data/ruby-advisory-db/gems/bundler/OSVDB-115091.yml +0 -12
  112. data/data/ruby-advisory-db/gems/bundler/OSVDB-115917.yml +0 -12
  113. data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108574.yml +0 -8
  114. data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108575.yml +0 -7
  115. data/data/ruby-advisory-db/gems/ciborg/OSVDB-108586.yml +0 -8
  116. data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +0 -15
  117. data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108582.yml +0 -8
  118. data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108583.yml +0 -8
  119. data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml +0 -21
  120. data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml +0 -9
  121. data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +0 -17
  122. data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml +0 -11
  123. data/data/ruby-advisory-db/gems/curb/OSVDB-114600.yml +0 -12
  124. data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +0 -13
  125. data/data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml +0 -22
  126. data/data/ruby-advisory-db/gems/devise/CVE-2015-8314.yml +0 -14
  127. data/data/ruby-advisory-db/gems/devise/OSVDB-114435.yml +0 -17
  128. data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml +0 -20
  129. data/data/ruby-advisory-db/gems/doorkeeper/CVE-2014-8144.yml +0 -26
  130. data/data/ruby-advisory-db/gems/doorkeeper/CVE-2016-6582.yml +0 -43
  131. data/data/ruby-advisory-db/gems/doorkeeper/OSVDB-118830.yml +0 -17
  132. data/data/ruby-advisory-db/gems/dragonfly/OSVDB-110439.yml +0 -13
  133. data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml +0 -16
  134. data/data/ruby-advisory-db/gems/dragonfly/OSVDB-96798.yml +0 -14
  135. data/data/ruby-advisory-db/gems/dragonfly/OSVDB-97854.yml +0 -12
  136. data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +0 -12
  137. data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +0 -11
  138. data/data/ruby-advisory-db/gems/ember-source/CVE-2013-4170.yml +0 -25
  139. data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0013.yml +0 -33
  140. data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0014.yml +0 -30
  141. data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0046.yml +0 -26
  142. data/data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml +0 -26
  143. data/data/ruby-advisory-db/gems/ember-source/CVE-2015-7565.yml +0 -30
  144. data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml +0 -9
  145. data/data/ruby-advisory-db/gems/espeak-ruby/CVE-2016-10193.yml +0 -15
  146. data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml +0 -18
  147. data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml +0 -13
  148. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101445.yml +0 -17
  149. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101446.yml +0 -19
  150. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101447.yml +0 -17
  151. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101448.yml +0 -19
  152. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101700.yml +0 -16
  153. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-110420.yml +0 -19
  154. data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-118465.yml +0 -17
  155. data/data/ruby-advisory-db/gems/features/OSVDB-96975.yml +0 -8
  156. data/data/ruby-advisory-db/gems/festivaltts4r/CVE-2016-10194.yml +0 -12
  157. data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml +0 -7
  158. data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml +0 -7
  159. data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml +0 -8
  160. data/data/ruby-advisory-db/gems/fileutils/OSVDB-90718.yml +0 -7
  161. data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml +0 -8
  162. data/data/ruby-advisory-db/gems/flavour_saver/OSVDB-110796.yml +0 -14
  163. data/data/ruby-advisory-db/gems/flukso4r/OSVDB-101577.yml +0 -7
  164. data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-110439.yml +0 -15
  165. data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-90647.yml +0 -16
  166. data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml +0 -16
  167. data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-97854.yml +0 -12
  168. data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml +0 -18
  169. data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8968.yml +0 -21
  170. data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8969.yml +0 -13
  171. data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +0 -14
  172. data/data/ruby-advisory-db/gems/gnms/OSVDB-108594.yml +0 -7
  173. data/data/ruby-advisory-db/gems/gollum-grit_adapter/CVE-2014-9489.yml +0 -23
  174. data/data/ruby-advisory-db/gems/gollum/CVE-2015-7314.yml +0 -13
  175. data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml +0 -20
  176. data/data/ruby-advisory-db/gems/gyazo/OSVDB-108563.yml +0 -10
  177. data/data/ruby-advisory-db/gems/handlebars-source/OSVDB-131671.yml +0 -17
  178. data/data/ruby-advisory-db/gems/http/CVE-2015-1828.yml +0 -14
  179. data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +0 -14
  180. data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +0 -17
  181. data/data/ruby-advisory-db/gems/jquery-rails/CVE-2015-1840.yml +0 -36
  182. data/data/ruby-advisory-db/gems/jquery-ujs/CVE-2015-1840.yml +0 -35
  183. data/data/ruby-advisory-db/gems/jruby-openssl/CVE-2009-4123.yml +0 -16
  184. data/data/ruby-advisory-db/gems/jruby-sandbox/OSVDB-106279.yml +0 -12
  185. data/data/ruby-advisory-db/gems/json/OSVDB-101137.yml +0 -17
  186. data/data/ruby-advisory-db/gems/json/OSVDB-101157.yml +0 -14
  187. data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml +0 -23
  188. data/data/ruby-advisory-db/gems/kafo/OSVDB-106826.yml +0 -15
  189. data/data/ruby-advisory-db/gems/kajam/OSVDB-108529.yml +0 -12
  190. data/data/ruby-advisory-db/gems/kajam/OSVDB-108530.yml +0 -11
  191. data/data/ruby-advisory-db/gems/karo/OSVDB-108573.yml +0 -10
  192. data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml +0 -9
  193. data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108571.yml +0 -8
  194. data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108572.yml +0 -7
  195. data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml +0 -9
  196. data/data/ruby-advisory-db/gems/kompanee-recipes/OSVDB-108593.yml +0 -12
  197. data/data/ruby-advisory-db/gems/lawn-login/OSVDB-108576.yml +0 -8
  198. data/data/ruby-advisory-db/gems/ldap_fluff/OSVDB-90579.yml +0 -15
  199. data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml +0 -9
  200. data/data/ruby-advisory-db/gems/lean-ruport/OSVDB-108581.yml +0 -8
  201. data/data/ruby-advisory-db/gems/lingq/OSVDB-108585.yml +0 -7
  202. data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml +0 -21
  203. data/data/ruby-advisory-db/gems/lynx/OSVDB-108579.yml +0 -7
  204. data/data/ruby-advisory-db/gems/lynx/OSVDB-108580.yml +0 -8
  205. data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml +0 -26
  206. data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml +0 -21
  207. data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml +0 -14
  208. data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml +0 -16
  209. data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-129854.yml +0 -21
  210. data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-132871.yml +0 -22
  211. data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml +0 -9
  212. data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml +0 -15
  213. data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml +0 -16
  214. data/data/ruby-advisory-db/gems/moped/CVE-2015-4410.yml +0 -17
  215. data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml +0 -16
  216. data/data/ruby-advisory-db/gems/mustache-js-rails/OSVDB-131671.yml +0 -17
  217. data/data/ruby-advisory-db/gems/net-ldap/OSVDB-106108.yml +0 -14
  218. data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml +0 -17
  219. data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-1819.yml +0 -52
  220. data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-5312.yml +0 -92
  221. data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-7499.yml +0 -37
  222. data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml +0 -42
  223. data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml +0 -32
  224. data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml +0 -44
  225. data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +0 -18
  226. data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +0 -15
  227. data/data/ruby-advisory-db/gems/nokogiri/OSVDB-118481.yml +0 -15
  228. data/data/ruby-advisory-db/gems/nokogiri/OSVDB-90946.yml +0 -15
  229. data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +0 -19
  230. data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +0 -22
  231. data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +0 -17
  232. data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml +0 -16
  233. data/data/ruby-advisory-db/gems/open-uri-cached/OSVDB-121701.yml +0 -13
  234. data/data/ruby-advisory-db/gems/paperclip/CVE-2015-2963.yml +0 -16
  235. data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +0 -13
  236. data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +0 -13
  237. data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +0 -13
  238. data/data/ruby-advisory-db/gems/passenger/CVE-2014-1831.yml +0 -13
  239. data/data/ruby-advisory-db/gems/passenger/CVE-2014-1832.yml +0 -13
  240. data/data/ruby-advisory-db/gems/passenger/CVE-2015-7519.yml +0 -17
  241. data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml +0 -16
  242. data/data/ruby-advisory-db/gems/passenger/OSVDB-90738.yml +0 -16
  243. data/data/ruby-advisory-db/gems/passenger/OSVDB-93752.yml +0 -15
  244. data/data/ruby-advisory-db/gems/passenger/OSVDB-94074.yml +0 -14
  245. data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml +0 -11
  246. data/data/ruby-advisory-db/gems/point-cli/OSVDB-108577.yml +0 -8
  247. data/data/ruby-advisory-db/gems/quick_magick/OSVDB-106954.yml +0 -7
  248. data/data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml +0 -26
  249. data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml +0 -18
  250. data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml +0 -17
  251. data/data/ruby-advisory-db/gems/rack-ssl/OSVDB-104734.yml +0 -11
  252. data/data/ruby-advisory-db/gems/rack/CVE-2015-3225.yml +0 -18
  253. data/data/ruby-advisory-db/gems/rack/OSVDB-78121.yml +0 -21
  254. data/data/ruby-advisory-db/gems/rack/OSVDB-89317.yml +0 -21
  255. data/data/ruby-advisory-db/gems/rack/OSVDB-89320.yml +0 -19
  256. data/data/ruby-advisory-db/gems/rack/OSVDB-89327.yml +0 -20
  257. data/data/ruby-advisory-db/gems/rack/OSVDB-89938.yml +0 -18
  258. data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +0 -23
  259. data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7578.yml +0 -47
  260. data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7579.yml +0 -75
  261. data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7580.yml +0 -70
  262. data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +0 -20
  263. data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml +0 -27
  264. data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml +0 -17
  265. data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml +0 -16
  266. data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml +0 -15
  267. data/data/ruby-advisory-db/gems/refile/OSVDB-120857.yml +0 -16
  268. data/data/ruby-advisory-db/gems/rest-client/CVE-2015-1820.yml +0 -23
  269. data/data/ruby-advisory-db/gems/rest-client/OSVDB-117461.yml +0 -13
  270. data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +0 -15
  271. data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml +0 -17
  272. data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-117903.yml +0 -13
  273. data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124383.yml +0 -11
  274. data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124991.yml +0 -13
  275. data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml +0 -11
  276. data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml +0 -14
  277. data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml +0 -13
  278. data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml +0 -7
  279. data/data/ruby-advisory-db/gems/sentry-raven/OSVDB-115654.yml +0 -14
  280. data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +0 -15
  281. data/data/ruby-advisory-db/gems/show_in_browser/OSVDB-93490.yml +0 -8
  282. data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126329.yml +0 -12
  283. data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126330.yml +0 -10
  284. data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126331.yml +0 -14
  285. data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125675.yml +0 -9
  286. data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125676.yml +0 -14
  287. data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125678.yml +0 -9
  288. data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml +0 -14
  289. data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml +0 -16
  290. data/data/ruby-advisory-db/gems/spree/OSVDB-119205.yml +0 -18
  291. data/data/ruby-advisory-db/gems/spree/OSVDB-125699.yml +0 -18
  292. data/data/ruby-advisory-db/gems/spree/OSVDB-125701.yml +0 -17
  293. data/data/ruby-advisory-db/gems/spree/OSVDB-125712.yml +0 -16
  294. data/data/ruby-advisory-db/gems/spree/OSVDB-125713.yml +0 -15
  295. data/data/ruby-advisory-db/gems/spree/OSVDB-69098.yml +0 -19
  296. data/data/ruby-advisory-db/gems/spree/OSVDB-73751.yml +0 -11
  297. data/data/ruby-advisory-db/gems/spree/OSVDB-76011.yml +0 -15
  298. data/data/ruby-advisory-db/gems/spree/OSVDB-81505.yml +0 -14
  299. data/data/ruby-advisory-db/gems/spree/OSVDB-81506.yml +0 -16
  300. data/data/ruby-advisory-db/gems/spree/OSVDB-90865.yml +0 -20
  301. data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +0 -17
  302. data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +0 -17
  303. data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +0 -17
  304. data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +0 -17
  305. data/data/ruby-advisory-db/gems/spree_auth/OSVDB-90865.yml +0 -16
  306. data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml +0 -20
  307. data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml +0 -27
  308. data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +0 -16
  309. data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml +0 -14
  310. data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml +0 -14
  311. data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml +0 -9
  312. data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml +0 -22
  313. data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml +0 -19
  314. data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml +0 -22
  315. data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml +0 -12
  316. data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +0 -12
  317. data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml +0 -14
  318. data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +0 -15
  319. data/data/ruby-advisory-db/gems/xaviershay-dm-rails/OSVDB-118579.yml +0 -13
  320. data/data/ruby-advisory-db/lib/cf_scrape.py +0 -5
  321. data/data/ruby-advisory-db/lib/osvdb_scrape.rb +0 -92
  322. data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4287.yml +0 -19
  323. data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4363.yml +0 -20
  324. data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-3900.yml +0 -19
  325. data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml +0 -19
  326. data/data/ruby-advisory-db/libraries/rubygems/OSVDB-33561.yml +0 -17
  327. data/data/ruby-advisory-db/libraries/rubygems/OSVDB-81444.yml +0 -14
  328. data/data/ruby-advisory-db/libraries/rubygems/OSVDB-85809.yml +0 -16
  329. data/data/ruby-advisory-db/rubies/jruby/CVE-2010-1330.yml +0 -17
  330. data/data/ruby-advisory-db/rubies/jruby/CVE-2011-4838.yml +0 -15
  331. data/data/ruby-advisory-db/rubies/jruby/CVE-2012-5370.yml +0 -17
  332. data/data/ruby-advisory-db/rubies/jruby/OSVDB-94644.yml +0 -12
  333. data/data/ruby-advisory-db/rubies/rbx/OSVDB-78119.yml +0 -13
  334. data/data/ruby-advisory-db/rubies/rbx/OSVDB-87861.yml +0 -17
  335. data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml +0 -16
  336. data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5770.yml +0 -17
  337. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-1447.yml +0 -15
  338. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-1891.yml +0 -21
  339. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-2376.yml +0 -18
  340. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-3443.yml +0 -17
  341. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-3655.yml +0 -18
  342. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-3656.yml +0 -19
  343. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-3657.yml +0 -16
  344. data/data/ruby-advisory-db/rubies/ruby/CVE-2008-3905.yml +0 -17
  345. data/data/ruby-advisory-db/rubies/ruby/CVE-2009-0642.yml +0 -17
  346. data/data/ruby-advisory-db/rubies/ruby/CVE-2009-5147.yml +0 -13
  347. data/data/ruby-advisory-db/rubies/ruby/CVE-2011-0188.yml +0 -17
  348. data/data/ruby-advisory-db/rubies/ruby/CVE-2011-2686.yml +0 -17
  349. data/data/ruby-advisory-db/rubies/ruby/CVE-2011-2705.yml +0 -16
  350. data/data/ruby-advisory-db/rubies/ruby/CVE-2011-3009.yml +0 -17
  351. data/data/ruby-advisory-db/rubies/ruby/CVE-2012-4464.yml +0 -17
  352. data/data/ruby-advisory-db/rubies/ruby/CVE-2012-4466.yml +0 -16
  353. data/data/ruby-advisory-db/rubies/ruby/CVE-2012-4481.yml +0 -15
  354. data/data/ruby-advisory-db/rubies/ruby/CVE-2015-1855.yml +0 -17
  355. data/data/ruby-advisory-db/rubies/ruby/CVE-2015-7551.yml +0 -19
  356. data/data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml +0 -19
  357. data/data/ruby-advisory-db/rubies/ruby/OSVDB-100113.yml +0 -17
  358. data/data/ruby-advisory-db/rubies/ruby/OSVDB-105027.yml +0 -20
  359. data/data/ruby-advisory-db/rubies/ruby/OSVDB-107478.yml +0 -16
  360. data/data/ruby-advisory-db/rubies/ruby/OSVDB-108971.yml +0 -17
  361. data/data/ruby-advisory-db/rubies/ruby/OSVDB-113747.yml +0 -19
  362. data/data/ruby-advisory-db/rubies/ruby/OSVDB-114641.yml +0 -22
  363. data/data/ruby-advisory-db/rubies/ruby/OSVDB-120541.yml +0 -22
  364. data/data/ruby-advisory-db/rubies/ruby/OSVDB-46550.yml +0 -22
  365. data/data/ruby-advisory-db/rubies/ruby/OSVDB-46551.yml +0 -21
  366. data/data/ruby-advisory-db/rubies/ruby/OSVDB-46552.yml +0 -21
  367. data/data/ruby-advisory-db/rubies/ruby/OSVDB-46553.yml +0 -22
  368. data/data/ruby-advisory-db/rubies/ruby/OSVDB-46554.yml +0 -18
  369. data/data/ruby-advisory-db/rubies/ruby/OSVDB-47753.yml +0 -16
  370. data/data/ruby-advisory-db/rubies/ruby/OSVDB-55031.yml +0 -17
  371. data/data/ruby-advisory-db/rubies/ruby/OSVDB-60880.yml +0 -17
  372. data/data/ruby-advisory-db/rubies/ruby/OSVDB-61774.yml +0 -20
  373. data/data/ruby-advisory-db/rubies/ruby/OSVDB-65556.yml +0 -17
  374. data/data/ruby-advisory-db/rubies/ruby/OSVDB-66040.yml +0 -17
  375. data/data/ruby-advisory-db/rubies/ruby/OSVDB-70957.yml +0 -15
  376. data/data/ruby-advisory-db/rubies/ruby/OSVDB-70958.yml +0 -20
  377. data/data/ruby-advisory-db/rubies/ruby/OSVDB-74829.yml +0 -18
  378. data/data/ruby-advisory-db/rubies/ruby/OSVDB-78118.yml +0 -14
  379. data/data/ruby-advisory-db/rubies/ruby/OSVDB-87280.yml +0 -17
  380. data/data/ruby-advisory-db/rubies/ruby/OSVDB-87863.yml +0 -18
  381. data/data/ruby-advisory-db/rubies/ruby/OSVDB-87917.yml +0 -16
  382. data/data/ruby-advisory-db/rubies/ruby/OSVDB-90587.yml +0 -16
  383. data/data/ruby-advisory-db/rubies/ruby/OSVDB-93414.yml +0 -19
  384. data/data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml +0 -21
  385. data/data/ruby-advisory-db/scripts/post-advisories.sh +0 -18
  386. data/data/ruby-advisory-db/spec/advisory_example.rb +0 -202
  387. data/data/ruby-advisory-db/spec/gem_example.rb +0 -22
  388. data/data/ruby-advisory-db/spec/gems_spec.rb +0 -23
  389. data/data/ruby-advisory-db/spec/library_example.rb +0 -21
  390. data/data/ruby-advisory-db/spec/ruby_example.rb +0 -23
  391. data/data/ruby-advisory-db/spec/spec_helper.rb +0 -1
data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml DELETED
@@ -1,55 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2015-7581
5
- date: 2016-01-25
6
- url: "https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE"
7
-
8
- title: Object leak vulnerability for wildcard controller routes in Action Pack
9
-
10
- description: |
11
- There is an object leak vulnerability for wildcard controllers in Action Pack.
12
- This vulnerability has been assigned the CVE identifier CVE-2015-7581.
13
-
14
- Versions Affected: >= 4.0.0 and < 5.0.0.beta1
15
- Not affected: < 4.0.0, 5.0.0.beta1 and newer
16
- Fixed Versions: 4.2.5.1, 4.1.14.1
17
-
18
- Impact
19
- ------
20
- Users that have a route that contains the string ":controller" are susceptible
21
- to objects being leaked globally which can lead to unbounded memory growth.
22
- To identify if your application is vulnerable, look for routes that contain
23
- ":controller".
24
-
25
- Internally, Action Pack keeps a map of "url controller name" to "controller
26
- class name". This map is cached globally, and is populated even if the
27
- controller class doesn't actually exist.
28
-
29
- All users running an affected release should either upgrade or use one of the
30
- workarounds immediately.
31
-
32
- Releases
33
- --------
34
- The FIXED releases are available at the normal locations.
35
-
36
- Workarounds
37
- -----------
38
- There are no feasible workarounds for this issue.
39
-
40
- Patches
41
- -------
42
- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
43
-
44
- * 4-1-wildcard_route.patch - Patch for 4.1 series
45
- * 4-2-wildcard_route.patch - Patch for 4.2 series
46
-
47
- Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
48
-
49
- unaffected_versions:
50
- - "< 4.0.0"
51
- - ">= 5.0.0.beta1"
52
-
53
- patched_versions:
54
- - "~> 4.2.5, >= 4.2.5.1"
55
- - "~> 4.1.14, >= 4.1.14.1"
data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml DELETED
@@ -1,71 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2016-0751
5
- date: 2016-01-25
6
- url: "https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc"
7
-
8
- title: Possible Object Leak and Denial of Service attack in Action Pack
9
-
10
- description: |
11
- There is a possible object leak which can lead to a denial of service
12
- vulnerability in Action Pack. This vulnerability has been
13
- assigned the CVE identifier CVE-2016-0751.
14
-
15
- Versions Affected: All.
16
- Not affected: None.
17
- Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
18
-
19
- Impact
20
- ------
21
- A carefully crafted accept header can cause a global cache of mime types to
22
- grow indefinitely which can lead to a possible denial of service attack in
23
- Action Pack.
24
-
25
- All users running an affected release should either upgrade or use one of the
26
- workarounds immediately.
27
-
28
- Releases
29
- --------
30
- The FIXED releases are available at the normal locations.
31
-
32
- Workarounds
33
- -----------
34
- This attack can be mitigated by a proxy that only allows known mime types in
35
- the Accept header.
36
-
37
- Placing the following code in an initializer will also mitigate the issue:
38
-
39
- ```ruby
40
- require 'action_dispatch/http/mime_type'
41
-
42
- Mime.const_set :LOOKUP, Hash.new { |h,k|
43
- Mime::Type.new(k) unless k.blank?
44
- }
45
- ```
46
-
47
- Patches
48
- -------
49
- To aid users who aren't able to upgrade immediately we have provided patches for
50
- the two supported release series. They are in git-am format and consist of a
51
- single changeset.
52
-
53
- * 5-0-mime_types_leak.patch - Patch for 5.0 series
54
- * 4-2-mime_types_leak.patch - Patch for 4.2 series
55
- * 4-1-mime_types_leak.patch - Patch for 4.1 series
56
- * 3-2-mime_types_leak.patch - Patch for 3.2 series
57
-
58
- Please note that only the 4.1.x and 4.2.x series are supported at present. Users
59
- of earlier unsupported releases are advised to upgrade as soon as possible as we
60
- cannot guarantee the continued availability of security fixes for unsupported
61
- releases.
62
-
63
- Credits
64
- -------
65
- Aaron Patterson <3<3
66
-
67
- patched_versions:
68
- - ">= 5.0.0.beta1.1"
69
- - "~> 4.2.5, >= 4.2.5.1"
70
- - "~> 4.1.14, >= 4.1.14.1"
71
- - "~> 3.2.22.1"
data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml DELETED
@@ -1,96 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2016-0752
5
- date: 2016-01-25
6
- url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
7
-
8
- title: Possible Information Leak Vulnerability in Action View
9
- description: |
10
- There is a possible directory traversal and information leak vulnerability in
11
- Action View. This vulnerability has been assigned the CVE identifier
12
- CVE-2016-0752.
13
-
14
- Versions Affected: All.
15
- Not affected: None.
16
- Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
17
-
18
- Impact
19
- ------
20
- Applications that pass unverified user input to the `render` method in a
21
- controller may be vulnerable to an information leak vulnerability.
22
-
23
- Impacted code will look something like this:
24
-
25
- ```ruby
26
- def index
27
- render params[:id]
28
- end
29
- ```
30
-
31
- Carefully crafted requests can cause the above code to render files from
32
- unexpected places like outside the application's view directory, and can
33
- possibly escalate this to a remote code execution attack.
34
-
35
- All users running an affected release should either upgrade or use one of the
36
- workarounds immediately.
37
-
38
- Releases
39
- --------
40
- The FIXED releases are available at the normal locations.
41
-
42
- Workarounds
43
- -----------
44
- A workaround to this issue is to not pass arbitrary user input to the `render`
45
- method. Instead, verify that data before passing it to the `render` method.
46
-
47
- For example, change this:
48
-
49
- ```ruby
50
- def index
51
- render params[:id]
52
- end
53
- ```
54
-
55
- To this:
56
-
57
- ```ruby
58
- def index
59
- render verify_template(params[:id])
60
- end
61
-
62
- private
63
- def verify_template(name)
64
- # add verification logic particular to your application here
65
- end
66
- ```
67
-
68
- Patches
69
- -------
70
- To aid users who aren't able to upgrade immediately we have provided patches for
71
- the two supported release series. They are in git-am format and consist of a
72
- single changeset.
73
-
74
- * 3-2-render_data_leak.patch - Patch for 3.2 series
75
- * 4-1-render_data_leak.patch - Patch for 4.1 series
76
- * 4-2-render_data_leak.patch - Patch for 4.2 series
77
- * 5-0-render_data_leak.patch - Patch for 5.0 series
78
-
79
- Please note that only the 4.1.x and 4.2.x series are supported at present. Users
80
- of earlier unsupported releases are advised to upgrade as soon as possible as we
81
- cannot guarantee the continued availability of security fixes for unsupported
82
- releases.
83
-
84
- Credits
85
- -------
86
- Thanks John Poulin for reporting this!
87
-
88
- unaffected_versions:
89
- # Newer versions are affected, but tracked in the actionview gem.
90
- - ">= 4.1.0"
91
-
92
- patched_versions:
93
- - ">= 5.0.0.beta1.1"
94
- - "~> 4.2.5, >= 4.2.5.1"
95
- - "~> 4.1.14, >= 4.1.14.1"
96
- - "~> 3.2.22.1"
data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml DELETED
@@ -1,90 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2016-2097
5
- date: 2016-02-29
6
- url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
7
-
8
- title: Possible Information Leak Vulnerability in Action View
9
-
10
- description: |
11
-
12
- There is a possible directory traversal and information leak vulnerability
13
- in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
14
- patch was not covering all the scenarios. This vulnerability has been
15
- assigned the CVE identifier CVE-2016-2097.
16
-
17
- Versions Affected: 3.2.x, 4.0.x, 4.1.x
18
- Not affected: 4.2+
19
- Fixed Versions: 3.2.22.2, 4.1.14.2
20
-
21
- Impact
22
- ------
23
- Applications that pass unverified user input to the `render` method in a
24
- controller may be vulnerable to an information leak vulnerability.
25
-
26
- Impacted code will look something like this:
27
-
28
- ```ruby
29
- def index
30
- render params[:id]
31
- end
32
- ```
33
-
34
- Carefully crafted requests can cause the above code to render files from
35
- unexpected places like outside the application's view directory, and can
36
- possibly escalate this to a remote code execution attack.
37
-
38
- All users running an affected release should either upgrade or use one of the
39
- workarounds immediately.
40
-
41
- Releases
42
- --------
43
- The FIXED releases are available at the normal locations.
44
-
45
- Workarounds
46
- -----------
47
- A workaround to this issue is to not pass arbitrary user input to the `render`
48
- method. Instead, verify that data before passing it to the `render` method.
49
-
50
- For example, change this:
51
-
52
- ```ruby
53
- def index
54
- render params[:id]
55
- end
56
- ```
57
-
58
- To this:
59
-
60
- ```ruby
61
- def index
62
- render verify_template(params[:id])
63
- end
64
-
65
- private
66
- def verify_template(name)
67
- # add verification logic particular to your application here
68
- end
69
- ```
70
-
71
- Patches
72
- -------
73
- To aid users who aren't able to upgrade immediately we have provided patches
74
- for it. It is in git-am format and consist of a single changeset.
75
-
76
- * 3-2-render_data_leak_2.patch - Patch for 3.2 series
77
- * 4-1-render_data_leak_2.patch - Patch for 4.1 series
78
-
79
- Credits
80
- -------
81
- Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
82
- and working with us in the patch!
83
-
84
- unaffected_versions:
85
- # Newer versions are affected, but tracked in the actionview gem.
86
- - ">= 4.1.0"
87
-
88
- patched_versions:
89
- - "~> 3.2.22.2"
90
- - "~> 4.1.14, >= 4.1.14.2"
data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml DELETED
@@ -1,89 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2016-2098
5
- date: 2016-02-29
6
- url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q"
7
-
8
- title: Possible remote code execution vulnerability in Action Pack
9
-
10
- description: |
11
- There is a possible remote code execution vulnerability in Action Pack.
12
- This vulnerability has been assigned the CVE identifier CVE-2016-2098.
13
-
14
- Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x
15
- Not affected: 5.0+
16
- Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2
17
-
18
- Impact
19
- ------
20
- Applications that pass unverified user input to the `render` method in a
21
- controller or a view may be vulnerable to a code injection.
22
-
23
- Impacted code will look like this:
24
-
25
- ```ruby
26
- class TestController < ApplicationController
27
- def show
28
- render params[:id]
29
- end
30
- end
31
- ```
32
-
33
- An attacker could use the request parameters to coerce the above example
34
- to execute arbitrary ruby code.
35
-
36
- All users running an affected release should either upgrade or use one of
37
- the workarounds immediately.
38
-
39
- Releases
40
- --------
41
- The FIXED releases are available at the normal locations.
42
-
43
- Workarounds
44
- -----------
45
- A workaround to this issue is to not pass arbitrary user input to the `render`
46
- method. Instead, verify that data before passing it to the `render` method.
47
-
48
- For example, change this:
49
-
50
- ```ruby
51
- def index
52
- render params[:id]
53
- end
54
- ```
55
-
56
- To this:
57
-
58
- ```ruby
59
- def index
60
- render verify_template(params[:id])
61
- end
62
-
63
- private
64
- def verify_template(name)
65
- # add verification logic particular to your application here
66
- end
67
- ```
68
-
69
- Patches
70
- -------
71
- To aid users who aren't able to upgrade immediately we have provided a
72
- patch for it. It is in git-am format and consist of a single changeset.
73
-
74
- * 3-2-secure_inline_with_params.patch - Patch for 3.2 series
75
- * 4-1-secure_inline_with_params.patch - Patch for 4.1 series
76
- * 4-2-secure_inline_with_params.patch - Patch for 4.2 series
77
-
78
- Credits
79
- -------
80
- Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for
81
- reporting this!
82
-
83
- unaffected_versions:
84
- - ">= 5.0.0.beta1"
85
-
86
- patched_versions:
87
- - "~> 3.2.22.2"
88
- - "~> 4.2.5, >= 4.2.5.2"
89
- - "~> 4.1.14, >= 4.1.14.2"
data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml DELETED
@@ -1,57 +0,0 @@
1
- ---
2
- gem: actionpack
3
- framework: rails
4
- cve: 2016-6316
5
- date: 2016-08-11
6
- url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
7
-
8
- title: Possible XSS Vulnerability in Action View
9
-
10
- description: |
11
- There is a possible XSS vulnerability in Action View. Text declared as "HTML
12
- safe" will not have quotes escaped when used as attribute values in tag
13
- helpers.
14
-
15
- Impact
16
- ------
17
-
18
- Text declared as "HTML safe" when passed as an attribute value to a tag helper
19
- will not have quotes escaped which can lead to an XSS attack. Impacted code
20
- looks something like this:
21
-
22
- ```ruby
23
- content_tag(:div, "hi", title: user_input.html_safe)
24
- ```
25
-
26
- Some helpers like the `sanitize` helper will automatically mark strings as
27
- "HTML safe", so impacted code could also look something like this:
28
-
29
- ```ruby
30
- content_tag(:div, "hi", title: sanitize(user_input))
31
- ```
32
-
33
- All users running an affected release should either upgrade or use one of the
34
- workarounds immediately.
35
-
36
- Workarounds
37
- -----------
38
- You can work around this issue by either *not* marking arbitrary user input as
39
- safe, or by manually escaping quotes like this:
40
-
41
- ```ruby
42
- def escape_quotes(value)
43
- value.gsub(/"/, '&quot;'.freeze)
44
- end
45
-
46
- content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
47
- ```
48
-
49
- unaffected_versions:
50
- - "< 3.0.0"
51
- # Newer versions are affected, but tracked in the actionview gem.
52
- - ">= 4.1.0"
53
-
54
- patched_versions:
55
- - ~> 3.2.22.3
56
- - ~> 4.2.7.1
57
- - ">= 5.0.0.1"