RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.8.0 - Mend

bundler-audit 0.6.1 → 0.8.0

Files changed (426) hide show

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml DELETED Viewed

@@ -1,116 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2015-7576
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
-title: Timing attack vulnerability in basic authentication in Action Controller.
-description: |
-    There is a timing attack vulnerability in the basic authentication support
-    in Action Controller. This vulnerability has been assigned the CVE
-    identifier CVE-2015-7576.
-    Versions Affected:  All.
-    Not affected:       None.
-    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-    Impact
-    ------
-    Due to the way that Action Controller compares user names and passwords in
-    basic authentication authorization code, it is possible for an attacker to
-    analyze the time taken by a response and intuit the password.
-    For example, this string comparison:
-      "foo" == "bar"
-    is possibly faster than this comparison:
-      "foo" == "fo1"
-    Attackers can use this information to attempt to guess the username and
-    password used in the basic authentication system.
-    You can tell you application is vulnerable to this attack by looking for
-    `http_basic_authenticate_with` method calls in your application.
-    All users running an affected release should either upgrade or use one of
-    the workarounds immediately.
-    Releases
-    --------
-    The FIXED releases are available at the normal locations.
-    Workarounds
-    -----------
-    If you can't upgrade, please use the following monkey patch in an initializer
-    that is loaded before your application:
-    ```
-    $ cat config/initializers/basic_auth_fix.rb
-    module ActiveSupport
-      module SecurityUtils
-        def secure_compare(a, b)
-          return false unless a.bytesize == b.bytesize
-          l = a.unpack "C#{a.bytesize}"
-          res = 0
-          b.each_byte { |byte| res |= byte ^ l.shift }
-          res == 0
-        end
-        module_function :secure_compare
-        def variable_size_secure_compare(a, b)
-          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
-        end
-        module_function :variable_size_secure_compare
-      end
-    end
-    module ActionController
-      class Base
-        def self.http_basic_authenticate_with(options = {})
-          before_action(options.except(:name, :password, :realm)) do
-            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-              # This comparison uses & so that it doesn't short circuit and
-              # uses `variable_size_secure_compare` so that length information
-              # isn't leaked.
-              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
-            end
-          end
-        end
-      end
-    end
-    ```
-    Patches
-    -------
-    To aid users who aren't able to upgrade immediately we have provided patches for
-    the two supported release series. They are in git-am format and consist of a
-    single changeset.
-    * 4-1-basic_auth.patch - Patch for 4.1 series
-    * 4-2-basic_auth.patch - Patch for 4.2 series
-    * 5-0-basic_auth.patch - Patch for 5.0 series
-    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-    of earlier unsupported releases are advised to upgrade as soon as possible as we
-    cannot guarantee the continued availability of security fixes for unsupported
-    releases.
-    Credits
-    -------
-    Thank you to Daniel Waterworth for reporting the problem and working with us to
-    fix it.
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml DELETED Viewed

@@ -1,55 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2015-7581
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE"
-title: Object leak vulnerability for wildcard controller routes in Action Pack
-description: |
-  There is an object leak vulnerability for wildcard controllers in Action Pack.
-  This vulnerability has been assigned the CVE identifier CVE-2015-7581.
-  Versions Affected:  >= 4.0.0 and < 5.0.0.beta1
-  Not affected:       < 4.0.0, 5.0.0.beta1 and newer
-  Fixed Versions:     4.2.5.1, 4.1.14.1
-  Impact
-  ------
-  Users that have a route that contains the string ":controller" are susceptible
-  to objects being leaked globally which can lead to unbounded memory growth.
-  To identify if your application is vulnerable, look for routes that contain
-  ":controller".
-  Internally, Action Pack keeps a map of "url controller name" to "controller
-  class name".  This map is cached globally, and is populated even if the
-  controller class doesn't actually exist.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  There are no feasible workarounds for this issue.
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.
-  * 4-1-wildcard_route.patch - Patch for 4.1 series
-  * 4-2-wildcard_route.patch - Patch for 4.2 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
-unaffected_versions:
-  - "< 4.0.0"
-  - ">= 5.0.0.beta1"
-patched_versions:
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml DELETED Viewed

@@ -1,71 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2016-0751
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc"
-title: Possible Object Leak and Denial of Service attack in Action Pack
-description: |
-  There is a possible object leak which can lead to a denial of service
-  vulnerability in Action Pack. This vulnerability has been
-  assigned the CVE identifier CVE-2016-0751.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  A carefully crafted accept header can cause a global cache of mime types to
-  grow indefinitely which can lead to a possible denial of service attack in
-  Action Pack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  This attack can be mitigated by a proxy that only allows known mime types in
-  the Accept header.
-  Placing the following code in an initializer will also mitigate the issue:
-  ```ruby
-  require 'action_dispatch/http/mime_type'
-  Mime.const_set :LOOKUP, Hash.new { |h,k|
-    Mime::Type.new(k) unless k.blank?
-  }
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 5-0-mime_types_leak.patch - Patch for 5.0 series
-  * 4-2-mime_types_leak.patch - Patch for 4.2 series
-  * 4-1-mime_types_leak.patch - Patch for 4.1 series
-  * 3-2-mime_types_leak.patch - Patch for 3.2 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Aaron Patterson <3<3
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml DELETED Viewed

@@ -1,96 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2016-0752
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
-title: Possible Information Leak Vulnerability in Action View
-description: |
-  There is a possible directory traversal and information leak vulnerability in
-  Action View. This vulnerability has been assigned the CVE identifier
-  CVE-2016-0752.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller may be vulnerable to an information leak vulnerability.
-  Impacted code will look something like this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  Carefully crafted requests can cause the above code to render files from
-  unexpected places like outside the application's view directory, and can
-  possibly escalate this to a remote code execution attack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method.  Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 3-2-render_data_leak.patch - Patch for 3.2 series
-  * 4-1-render_data_leak.patch - Patch for 4.1 series
-  * 4-2-render_data_leak.patch - Patch for 4.2 series
-  * 5-0-render_data_leak.patch - Patch for 5.0 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Thanks John Poulin for reporting this!
-unaffected_versions:
-  # Newer versions are affected, but tracked in the actionview gem.
-  - ">= 4.1.0"
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml DELETED Viewed

@@ -1,90 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2016-2097
-date: 2016-02-29
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
-title: Possible Information Leak Vulnerability in Action View
-description: |
-  There is a possible directory traversal and information leak vulnerability
-  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
-  patch was not covering all the scenarios. This vulnerability has been
-  assigned the CVE identifier CVE-2016-2097.
-  Versions Affected:  3.2.x, 4.0.x, 4.1.x
-  Not affected:       4.2+
-  Fixed Versions:     3.2.22.2, 4.1.14.2
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller may be vulnerable to an information leak vulnerability.
-  Impacted code will look something like this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  Carefully crafted requests can cause the above code to render files from
-  unexpected places like outside the application's view directory, and can
-  possibly escalate this to a remote code execution attack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method. Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches
-  for it. It is in git-am format and consist of a single changeset.
-  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
-  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
-  Credits
-  -------
-  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
-  and working with us in the patch!
-unaffected_versions:
-  # Newer versions are affected, but tracked in the actionview gem.
-  - ">= 4.1.0"
-patched_versions:
-  - "~> 3.2.22.2"
-  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml DELETED Viewed

@@ -1,89 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2016-2098
-date: 2016-02-29
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q"
-title: Possible remote code execution vulnerability in Action Pack
-description: |
-  There is a possible remote code execution vulnerability in Action Pack.
-  This vulnerability has been assigned the CVE identifier CVE-2016-2098.
-  Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
-  Not affected:       5.0+
-  Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller or a view may be vulnerable to a code injection.
-  Impacted code will look like this:
-  ```ruby
-  class TestController < ApplicationController
-    def show
-      render params[:id]
-    end
-  end
-  ```
-  An attacker could use the request parameters to coerce the above example
-  to execute arbitrary ruby code.
-  All users running an affected release should either upgrade or use one of
-  the workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method. Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided a
-  patch for it. It is in git-am format and consist of a single changeset.
-  * 3-2-secure_inline_with_params.patch - Patch for 3.2 series
-  * 4-1-secure_inline_with_params.patch - Patch for 4.1 series
-  * 4-2-secure_inline_with_params.patch - Patch for 4.2 series
-  Credits
-  -------
-  Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for
-  reporting this!
-unaffected_versions:
-  - ">= 5.0.0.beta1"
-patched_versions:
-  - "~> 3.2.22.2"
-  - "~> 4.2.5, >= 4.2.5.2"
-  - "~> 4.1.14, >= 4.1.14.2"