RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml DELETED

@@ -1,89 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2016-2097
-date: 2016-02-29
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
-title: Possible Information Leak Vulnerability in Action View
-description: |
-  There is a possible directory traversal and information leak vulnerability
-  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
-  patch was not covering all the scenarios. This vulnerability has been
-  assigned the CVE identifier CVE-2016-2097.
-  Versions Affected:  3.2.x, 4.0.x, 4.1.x
-  Not affected:       4.2+
-  Fixed Versions:     3.2.22.2, 4.1.14.2
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller may be vulnerable to an information leak vulnerability.
-  Impacted code will look something like this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  Carefully crafted requests can cause the above code to render files from
-  unexpected places like outside the application's view directory, and can
-  possibly escalate this to a remote code execution attack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method. Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches
-  for it. It is in git-am format and consist of a single changeset.
-  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
-  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
-  Credits
-  -------
-  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
-  and working with us in the patch!
-unaffected_versions:
-  - ">= 4.2.0"
-# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
-patched_versions:
-  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml DELETED

@@ -1,56 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2016-6316
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
-title: Possible XSS Vulnerability in Action View
-description: |
-  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
-  safe" will not have quotes escaped when used as attribute values in tag
-  helpers.
-  Impact
-  ------
-  Text declared as "HTML safe" when passed as an attribute value to a tag helper
-  will not have quotes escaped which can lead to an XSS attack.  Impacted code
-  looks something like this:
-  ```ruby
-  content_tag(:div, "hi", title: user_input.html_safe)
-  ```
-  Some helpers like the `sanitize` helper will automatically mark strings as
-  "HTML safe", so impacted code could also look something like this:
-  ```ruby
-  content_tag(:div, "hi", title: sanitize(user_input))
-  ```
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Workarounds
-  -----------
-  You can work around this issue by either *not* marking arbitrary user input as
-  safe, or by manually escaping quotes like this:
-  ```ruby
-  def escape_quotes(value)
-    value.gsub(/"/, '&quot;'.freeze)
-  end
-  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
-  ```
-unaffected_versions:
-  - "< 3.0.0"
-# "~> 3.2.22.3" is found in gems/actionpack/CVE-2016-6316.yml
-patched_versions:
-  - "~> 4.2.7.1"
-  - "~> 4.2.8"
-  - ">= 5.0.0.1"

data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml DELETED

@@ -1,92 +0,0 @@
----
-gem: activemodel
-framework: rails
-cve: 2016-0753
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
-title: Possible Input Validation Circumvention in Active Model
-description: |
-  There is a possible input validation circumvention vulnerability in Active
-  Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.
-  Versions Affected:  4.1.0 and newer
-  Not affected:       4.0.13 and older
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1
-  Impact
-  ------
-  Code that uses Active Model based models (including Active Record models) and
-  does not validate user input before passing it to the model can be subject to
-  an attack where specially crafted input will cause the model to skip
-  validations.
-  Vulnerable code will look something like this:
-  ```ruby
-  SomeModel.new(unverified_user_input)
-  ```
-  Rails users using Strong Parameters are generally not impacted by this issue
-  as they are encouraged to whitelist parameters and must specifically opt-out
-  of input verification using the `permit!` method to allow mass assignment.
-  For example, a vulnerable Rails application will have code that looks like
-  this:
-  ```ruby
-  def create
-    params.permit! # allow all parameters
-    @user = User.new params[:users]
-  end
-  ```
-  Active Model and Active Record objects are not equipped to handle arbitrary
-  user input.  It is up to the application to verify input before passing it to
-  Active Model models.  Rails users already have Strong Parameters in place to
-  handle white listing, but applications using Active Model and Active Record
-  outside of a Rails environment may be impacted.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  There are several workarounds depending on the application.  Inside a Rails
-  application, stop using `permit!`.  Outside a Rails application, either use
-  Hash#slice to select the parameters you need, or integrate Strong Parameters
-  with your application.
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 4-1-validation_skip.patch - Patch for 4.1 series
-  * 4-2-validation_skip.patch - Patch for 4.2 series
-  * 5-0-validation_skip.patch - Patch for 5.0 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Thanks to:
-  [John Backus](https://github.com/backus) from BlockScore for reporting this!
-unaffected_versions:
-  - "<= 4.0.13"
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: activerecord-jdbc-adapter
-platform: jruby
-osvdb: 114854
-url: http://osvdb.org/show/osvdb/114854
-title: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
-  Function SQL Injection
-date: 2013-02-25
-description: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
-  out an SQL injection attack. The issue is due to the sql.gsub() function in
-  lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
-  using it in SQL queries. This may allow a remote attacker to inject or
-  manipulate SQL queries in the back-end database, allowing for the
-  manipulation or disclosure of arbitrary data.
-unaffected_versions:
-  - "< 1.2.6"
-patched_versions:
-  - ">= 1.2.8"

data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: activerecord-oracle_enhanced-adapter
-osvdb: 95376
-url: http://osvdb.org/show/osvdb/95376
-title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
-date: 2008-10-10
-description: |
-  Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an
-  attacker to carry out an SQL injection attack. The issue is due to the
-  program not properly sanitizing user-supplied input related to the :limit and
-  :offset functions. This may allow an attacker to inject or manipulate SQL
-  queries in the back-end database, allowing for the manipulation or disclosure
-  of arbitrary data.
-patched_versions:
-  - ">= 1.1.8"

data/data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-3514
-url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
-title: Data Injection Vulnerability in Active Record
-date: 2014-08-18
-description: >-
-  The create_with functionality in Active Record was implemented
-  incorrectly and completely bypasses the strong parameters
-  protection. Applications which pass user-controlled values to
-  create_with could allow attackers to set arbitrary attributes on
-  models.
-cvss_v2: 8.7
-unaffected_versions:
-  - "< 4.0.0"
-patched_versions:
-  - ~> 4.0.9
-  - ">= 4.1.5"

data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml DELETED

@@ -1,107 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2015-7577
-date: 2016-01-25
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
-title: Nested attributes rejection proc bypass in Active Record
-description: |
-  There is a vulnerability in how the nested attributes feature in Active Record
-  handles updates in combination with destroy flags when destroying records is
-  disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
-  Versions Affected:  3.1.0 and newer
-  Not affected:       3.0.x and older
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  When using the nested attributes feature in Active Record you can prevent the
-  destruction of associated records by passing the `allow_destroy: false` option
-  to the `accepts_nested_attributes_for` method. However due to a change in the
-  commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
-  being called because it assumes that the record will be destroyed anyway.
-  However this isn't true if `:allow_destroy` is false so this leads to changes
-  that would have been rejected being applied to the record. Attackers could use
-  this do things like set attributes to invalid values and to clear all of the
-  attributes amongst other things. The severity will be dependent on how the
-  application has used this feature.
-  All users running an affected release should either upgrade or use one of
-  the workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  If you can't upgrade, please use the following monkey patch in an initializer
-  that is loaded before your application:
-  ```
-  $ cat config/initializers/nested_attributes_bypass_fix.rb
-  module ActiveRecord
-    module NestedAttributes
-      private
-      def reject_new_record?(association_name, attributes)
-        will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
-      end
-      def call_reject_if(association_name, attributes)
-        return false if will_be_destroyed?(association_name, attributes)
-        case callback = self.nested_attributes_options[association_name][:reject_if]
-        when Symbol
-          method(callback).arity == 0 ? send(callback) : send(callback, attributes)
-        when Proc
-          callback.call(attributes)
-        end
-      end
-      def will_be_destroyed?(association_name, attributes)
-        allow_destroy?(association_name) && has_destroy_flag?(attributes)
-      end
-      def allow_destroy?(association_name)
-        self.nested_attributes_options[association_name][:allow_destroy]
-      end
-    end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
-  * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
-  * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
-  * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Thank you to Justin Coyne for reporting the problem and working with us to fix it.
-  [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
-unaffected_versions:
-  - "~> 3.0.0"
-  - "< 3.0.0"
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml DELETED

@@ -1,73 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2016-6317
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
-title: Unsafe Query Generation Risk in Active Record
-description: |
-  There is a vulnerability when Active Record is used in conjunction with JSON
-  parameter parsing. This vulnerability is similar to CVE-2012-2660,
-  CVE-2012-2694 and CVE-2013-0155.
-  Impact
-  ------
-  Due to the way Active Record interprets parameters in combination with the way
-  that JSON parameters are parsed, it is possible for an attacker to issue
-  unexpected database queries with "IS NULL" or empty where clauses.  This issue
-  does *not* let an attacker insert arbitrary values into an SQL query, however
-  they can cause the query to check for NULL or eliminate a WHERE clause when
-  most users wouldn't expect it.
-  For example, a system has password reset with token functionality:
-  ```ruby
-      unless params[:token].nil?
-        user = User.find_by_token(params[:token])
-        user.reset_password!
-      end
-  ```
-  An attacker can craft a request such that `params[:token]` will return
-  `[nil]`.  The `[nil]` value will bypass the test for nil, but will still add
-  an "IN ('xyz', NULL)" clause to the SQL query.
-  Similarly, an attacker can craft a request such that `params[:token]` will
-  return an empty hash.  An empty hash will eliminate the WHERE clause of the
-  query, but can bypass the `nil?` check.
-  Note that this impacts not only dynamic finders (`find_by_*`) but also
-  relations (`User.where(:name => params[:name])`).
-  All users running an affected release should either upgrade or use one of the
-  work arounds immediately. All users running an affected release should upgrade
-  immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
-  CVE-2012-2694, and CVE-2013-0155.  Even if you upgraded to address those
-  issues, you must take action again.
-  If this chance in behavior impacts your application, you can manually decode
-  the original values from the request like so:
-      `ActiveSupport::JSON.decode(request.body)`
-  Workarounds
-  -----------
-  This problem can be mitigated by casting the parameter to a string before
-  passing it to Active Record.  For example:
-    ```ruby
-      unless params[:token].nil? || params[:token].to_s.empty?
-        user = User.find_by_token(params[:token].to_s)
-        user.reset_password!
-      end
-    ```
-unaffected_versions:
-  - "< 4.2.0"
-  - ">= 5.0.0"
-patched_versions:
-  - ">= 4.2.7.1"