RubyGems - dawnscanner - Versions diffs - 1.4.0 → 1.4.1 - Mend

dawnscanner 1.4.0 → 1.4.1

Files changed (19) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/.travis.yml +1 -0
data/Changelog.md +5 -1
data/VERSION +1 -1
data/checksum/dawnscanner-1.4.0.gem.sha1 +1 -0
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +2 -2
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +1 -1
data/lib/dawn/kb/cve_2015_3225.rb +1 -1
data/lib/dawn/kb/cve_2015_3226.rb +1 -1
data/lib/dawn/kb/cve_2015_3227.rb +1 -1
data/lib/dawn/version.rb +4 -4
data/spec/lib/kb/cve_2015_1840_spec.rb +4 -0
data/spec/lib/kb/cve_2015_3225_spec.rb +4 -0
data/spec/lib/kb/cve_2015_3226_spec.rb +4 -0
data/spec/lib/kb/cve_2015_3227_spec.rb +4 -0
metadata +3 -2
metadata.gz.sig +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f003db35fdc15bed8267a03e98b8486332a8c5bc
-  data.tar.gz: 136a1d5c19c13401f309bb967a6847b2c4c3e00a
+  metadata.gz: 21beffc2d50962f7a17135b47974c233a785b7a9
+  data.tar.gz: a8f73f32dd52afdf4454335109948ca242c3ad25
 SHA512:
-  metadata.gz: b07ea6ad252a9b8bc81b13fcf3a6cef8621894d1621681d1b2898c746639327e2b96a197690562e9d0837e8d87360509645578f5ff3333052b6ef0b4dfb4b50d
-  data.tar.gz: 88129983599961a585d141c1387772acdec4b18a1525763d6ad1371a14fad4e6ae7c22befe0c2412d961738ca812fb522198a965a88d213e9497a5397303cecf
+  metadata.gz: 0b97eeebb92fd48fd5b1ad0fcb8b940d24a51d257d323e5f42eeba993c6a18f51c35670b56b99ffb8f5c450df8cb49170503393012270f32e7118991b57996d8
+  data.tar.gz: e9da9bf28bb243d2ba912698e552040ee7222ea4a87c70f6b5d01b0deb6d6b67a6774e296339c097960b87de686ec7c8b8a699cf0aefecaf3d68108b5ccbe40a

checksums.yaml.gz.sig CHANGED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/.travis.yml CHANGED

@@ -1,5 +1,6 @@
 language: ruby
 rvm:
+  - 2.2.3
   - 2.1.0
   - 2.0.0
   - 1.9.3

data/Changelog.md CHANGED

@@ -5,7 +5,11 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
-_latest update: Wed Sep 16 18:20:21 CEST 2015_
+_latest update: Tue Oct 13 09:53:14 CEST 2015_
+* Applying pull request #145. Thanks to @wmotti, a typo in CVE-2015-1840 has
+  been fixed and the following false positives have been fixed as well:
+  jquery-rails 3.1.4, rack 1.5.5, activesupport 4.1.13
 ## Version 1.4.0 - codename: Tow Mater (2015-09-16)

data/VERSION CHANGED

@@ -13,4 +13,4 @@
 # |   "Guido"       |  1.12.0  |
 # |   "Luigi"       |  1.14.0  |
 # | "Doc Hudson"    |  1.16.0  |
-1.4.0 - Tow Mater
+1.4.1 - Tow Mater

data/checksum/dawnscanner-1.4.0.gem.sha1 ADDED

	@@ -0,0 +1 @@
1	+ fd3c72200a04ff958edb032f66cffebfdda86e01

data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb CHANGED

@@ -8,7 +8,7 @@ module Dawn
           message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
           super({
-            :name=>"CVE-2015-1849",
+            :name=>"CVE-2015-1840",
             :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
             :release_date => Date.new(2015, 7, 26),
             :cwe=>"200",
@@ -19,7 +19,7 @@ module Dawn
             :mitigation=>"Please upgrade jquery-ujs and jquery-rails gems to latest version.",
             :aux_links=>["https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md", "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"]
            })
+          self.save_major = true
           self.safe_dependencies = [{:name=>"jquery-rails", :version=>['4.0.2', '3.1.3']}]
 				end

data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb CHANGED

@@ -8,7 +8,7 @@ module Dawn
           message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
           super({
-            :name=>"CVE-2015-1849",
+            :name=>"CVE-2015-1840",
             :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
             :release_date => Date.new(2015, 7, 26),
             :cwe=>"200",

data/lib/dawn/kb/cve_2015_3225.rb CHANGED

@@ -19,7 +19,7 @@ module Dawn
             :mitigation=>"Please upgrade rack gem to latest version or at least 1.5.4 or 1.6.2.",
             :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJ"]
            })
+          self.save_minor = true
           self.safe_dependencies = [{:name=>"rack", :version=>['1.5.4', '1.6.2']}]
 				end

data/lib/dawn/kb/cve_2015_3226.rb CHANGED

@@ -18,7 +18,7 @@ module Dawn
             :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
             :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"]
            })
+          self.save_minor = true
           self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3', '3.99.99']}]
 				end

data/lib/dawn/kb/cve_2015_3227.rb CHANGED

@@ -19,7 +19,7 @@ module Dawn
             :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
             :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"]
            })
+          self.save_minor = true
           self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3']}]
 				end
 			end

data/lib/dawn/version.rb CHANGED

@@ -1,7 +1,7 @@
 module Dawn
-    VERSION = "1.4.0"
+    VERSION = "1.4.1"
     CODENAME = "Tow Mater"
-    RELEASE = "20150916"
-    BUILD = "21"
-    COMMIT = "gb184185"
+    RELEASE = "20151013"
+    BUILD = "9"
+    COMMIT = "gc7e4aa2"
 end

data/spec/lib/kb/cve_2015_1840_spec.rb CHANGED

@@ -21,6 +21,10 @@ describe "The CVE-2015-1840 vulnerability" do
     @check_a.dependencies = [{:name=>"jquery-rails", :version=>'3.1.3'}]
     @check_a.vuln?.should   == false
   end
+  it "is reported when vulnerable jquery-rails gem is used (3.1.4)" do
+    @check_a.dependencies = [{:name=>"jquery-rails", :version=>'3.1.4'}]
+    @check_a.vuln?.should   == false
+  end
   it "is reported when vulnerable jquery-rails gem is used 4.0.2)" do
     @check_a.dependencies = [{:name=>"jquery-rails", :version=>'4.0.2'}]
     @check_a.vuln?.should   == false

data/spec/lib/kb/cve_2015_3225_spec.rb CHANGED

@@ -16,6 +16,10 @@ describe "The CVE-2015-3225 vulnerability" do
     @check.dependencies = [{:name=>"rack", :version=>'1.5.4'}]
     @check.vuln?.should   == false
   end
+  it "is not reported when safe rack gem is used (1.5.5)" do
+    @check.dependencies = [{:name=>"rack", :version=>'1.5.5'}]
+    @check.vuln?.should   == false
+  end
   it "is not reported when safe rack gem is used (1.6.3)" do
     @check.dependencies = [{:name=>"rack", :version=>'1.6.3'}]
     @check.vuln?.should   == false

data/spec/lib/kb/cve_2015_3226_spec.rb CHANGED

@@ -21,6 +21,10 @@ describe "The CVE-2015-3226 vulnerability" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.1.12'}]
     @check.vuln?.should   == false
   end
+  it "is not reported when safe active_support gem is used (4.1.13)" do
+    @check.dependencies = [{:name=>"activesupport", :version=>'4.1.13'}]
+    @check.vuln?.should   == false
+  end
   it "is not reported when safe active_support gem is used (4.2.3)" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.2.3'}]
     @check.vuln?.should   == false

data/spec/lib/kb/cve_2015_3227_spec.rb CHANGED

@@ -16,6 +16,10 @@ describe "The CVE-2015-3227 vulnerability" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.1.12'}]
     @check.vuln?.should   == false
   end
+  it "is not reported when safe active_support gem is used (4.1.13)" do
+    @check.dependencies = [{:name=>"activesupport", :version=>'4.1.13'}]
+    @check.vuln?.should   == false
+  end
   it "is not reported when safe active_support gem is used (4.2.3)" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.2.3'}]
     @check.vuln?.should   == false

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.4.1
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   1zH2rpK27DW5pOeHUEJn31+gGd111ogP5tYruPV7Qgfy2jUrUPmP67v7nRNlgd84
   Z5mHj9jGk4wgMQy2pk4GDwsXiirZfI0z2WZfySqEldE=
   -----END CERTIFICATE-----
-date: 2015-09-16 00:00:00.000000000 Z
+date: 2015-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cvss
@@ -295,6 +295,7 @@ files:
 - checksum/dawnscanner-1.3.0.gem.sha1
 - checksum/dawnscanner-1.3.1.gem.sha1
 - checksum/dawnscanner-1.3.5.gem.sha1
+- checksum/dawnscanner-1.4.0.gem.sha1
 - dawnscanner.gemspec
 - doc/codesake-dawn.yaml.sample
 - doc/dawn_1_0_announcement.md

metadata.gz.sig CHANGED

Binary file