dawnscanner 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/.travis.yml +1 -0
  5. data/Changelog.md +5 -1
  6. data/VERSION +1 -1
  7. data/checksum/dawnscanner-1.4.0.gem.sha1 +1 -0
  8. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +2 -2
  9. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +1 -1
  10. data/lib/dawn/kb/cve_2015_3225.rb +1 -1
  11. data/lib/dawn/kb/cve_2015_3226.rb +1 -1
  12. data/lib/dawn/kb/cve_2015_3227.rb +1 -1
  13. data/lib/dawn/version.rb +4 -4
  14. data/spec/lib/kb/cve_2015_1840_spec.rb +4 -0
  15. data/spec/lib/kb/cve_2015_3225_spec.rb +4 -0
  16. data/spec/lib/kb/cve_2015_3226_spec.rb +4 -0
  17. data/spec/lib/kb/cve_2015_3227_spec.rb +4 -0
  18. metadata +3 -2
  19. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f003db35fdc15bed8267a03e98b8486332a8c5bc
4
- data.tar.gz: 136a1d5c19c13401f309bb967a6847b2c4c3e00a
3
+ metadata.gz: 21beffc2d50962f7a17135b47974c233a785b7a9
4
+ data.tar.gz: a8f73f32dd52afdf4454335109948ca242c3ad25
5
5
  SHA512:
6
- metadata.gz: b07ea6ad252a9b8bc81b13fcf3a6cef8621894d1621681d1b2898c746639327e2b96a197690562e9d0837e8d87360509645578f5ff3333052b6ef0b4dfb4b50d
7
- data.tar.gz: 88129983599961a585d141c1387772acdec4b18a1525763d6ad1371a14fad4e6ae7c22befe0c2412d961738ca812fb522198a965a88d213e9497a5397303cecf
6
+ metadata.gz: 0b97eeebb92fd48fd5b1ad0fcb8b940d24a51d257d323e5f42eeba993c6a18f51c35670b56b99ffb8f5c450df8cb49170503393012270f32e7118991b57996d8
7
+ data.tar.gz: e9da9bf28bb243d2ba912698e552040ee7222ea4a87c70f6b5d01b0deb6d6b67a6774e296339c097960b87de686ec7c8b8a699cf0aefecaf3d68108b5ccbe40a
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/.travis.yml CHANGED
@@ -1,5 +1,6 @@
1
1
  language: ruby
2
2
  rvm:
3
+ - 2.2.3
3
4
  - 2.1.0
4
5
  - 2.0.0
5
6
  - 1.9.3
data/Changelog.md CHANGED
@@ -5,7 +5,11 @@ It supports [Sinatra](http://www.sinatrarb.com),
5
5
  [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
6
6
  frameworks.
7
7
 
8
- _latest update: Wed Sep 16 18:20:21 CEST 2015_
8
+ _latest update: Tue Oct 13 09:53:14 CEST 2015_
9
+
10
+ * Applying pull request #145. Thanks to @wmotti, a typo in CVE-2015-1840 has
11
+ been fixed and the following false positives have been fixed as well:
12
+ jquery-rails 3.1.4, rack 1.5.5, activesupport 4.1.13
9
13
 
10
14
  ## Version 1.4.0 - codename: Tow Mater (2015-09-16)
11
15
 
data/VERSION CHANGED
@@ -13,4 +13,4 @@
13
13
  # | "Guido" | 1.12.0 |
14
14
  # | "Luigi" | 1.14.0 |
15
15
  # | "Doc Hudson" | 1.16.0 |
16
- 1.4.0 - Tow Mater
16
+ 1.4.1 - Tow Mater
data/checksum/dawnscanner-1.4.0.gem.sha1 ADDED
@@ -0,0 +1 @@
1
+ fd3c72200a04ff958edb032f66cffebfdda86e01
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb CHANGED
@@ -8,7 +8,7 @@ module Dawn
8
8
  message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
9
9
 
10
10
  super({
11
- :name=>"CVE-2015-1849",
11
+ :name=>"CVE-2015-1840",
12
12
  :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
13
  :release_date => Date.new(2015, 7, 26),
14
14
  :cwe=>"200",
@@ -19,7 +19,7 @@ module Dawn
19
19
  :mitigation=>"Please upgrade jquery-ujs and jquery-rails gems to latest version.",
20
20
  :aux_links=>["https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md", "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"]
21
21
  })
22
-
22
+ self.save_major = true
23
23
  self.safe_dependencies = [{:name=>"jquery-rails", :version=>['4.0.2', '3.1.3']}]
24
24
 
25
25
  end
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb CHANGED
@@ -8,7 +8,7 @@ module Dawn
8
8
  message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
9
9
 
10
10
  super({
11
- :name=>"CVE-2015-1849",
11
+ :name=>"CVE-2015-1840",
12
12
  :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
13
  :release_date => Date.new(2015, 7, 26),
14
14
  :cwe=>"200",
data/lib/dawn/kb/cve_2015_3225.rb CHANGED
@@ -19,7 +19,7 @@ module Dawn
19
19
  :mitigation=>"Please upgrade rack gem to latest version or at least 1.5.4 or 1.6.2.",
20
20
  :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJ"]
21
21
  })
22
-
22
+ self.save_minor = true
23
23
  self.safe_dependencies = [{:name=>"rack", :version=>['1.5.4', '1.6.2']}]
24
24
 
25
25
  end
data/lib/dawn/kb/cve_2015_3226.rb CHANGED
@@ -18,7 +18,7 @@ module Dawn
18
18
  :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
19
19
  :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"]
20
20
  })
21
-
21
+ self.save_minor = true
22
22
  self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3', '3.99.99']}]
23
23
 
24
24
  end
data/lib/dawn/kb/cve_2015_3227.rb CHANGED
@@ -19,7 +19,7 @@ module Dawn
19
19
  :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
20
20
  :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"]
21
21
  })
22
-
22
+ self.save_minor = true
23
23
  self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3']}]
24
24
  end
25
25
  end
data/lib/dawn/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Dawn
2
- VERSION = "1.4.0"
2
+ VERSION = "1.4.1"
3
3
  CODENAME = "Tow Mater"
4
- RELEASE = "20150916"
5
- BUILD = "21"
6
- COMMIT = "gb184185"
4
+ RELEASE = "20151013"
5
+ BUILD = "9"
6
+ COMMIT = "gc7e4aa2"
7
7
  end
data/spec/lib/kb/cve_2015_1840_spec.rb CHANGED
@@ -21,6 +21,10 @@ describe "The CVE-2015-1840 vulnerability" do
21
21
  @check_a.dependencies = [{:name=>"jquery-rails", :version=>'3.1.3'}]
22
22
  @check_a.vuln?.should == false
23
23
  end
24
+ it "is reported when vulnerable jquery-rails gem is used (3.1.4)" do
25
+ @check_a.dependencies = [{:name=>"jquery-rails", :version=>'3.1.4'}]
26
+ @check_a.vuln?.should == false
27
+ end
24
28
  it "is reported when vulnerable jquery-rails gem is used 4.0.2)" do
25
29
  @check_a.dependencies = [{:name=>"jquery-rails", :version=>'4.0.2'}]
26
30
  @check_a.vuln?.should == false
data/spec/lib/kb/cve_2015_3225_spec.rb CHANGED
@@ -16,6 +16,10 @@ describe "The CVE-2015-3225 vulnerability" do
16
16
  @check.dependencies = [{:name=>"rack", :version=>'1.5.4'}]
17
17
  @check.vuln?.should == false
18
18
  end
19
+ it "is not reported when safe rack gem is used (1.5.5)" do
20
+ @check.dependencies = [{:name=>"rack", :version=>'1.5.5'}]
21
+ @check.vuln?.should == false
22
+ end
19
23
  it "is not reported when safe rack gem is used (1.6.3)" do
20
24
  @check.dependencies = [{:name=>"rack", :version=>'1.6.3'}]
21
25
  @check.vuln?.should == false
data/spec/lib/kb/cve_2015_3226_spec.rb CHANGED
@@ -21,6 +21,10 @@ describe "The CVE-2015-3226 vulnerability" do
21
21
  @check.dependencies = [{:name=>"activesupport", :version=>'4.1.12'}]
22
22
  @check.vuln?.should == false
23
23
  end
24
+ it "is not reported when safe active_support gem is used (4.1.13)" do
25
+ @check.dependencies = [{:name=>"activesupport", :version=>'4.1.13'}]
26
+ @check.vuln?.should == false
27
+ end
24
28
  it "is not reported when safe active_support gem is used (4.2.3)" do
25
29
  @check.dependencies = [{:name=>"activesupport", :version=>'4.2.3'}]
26
30
  @check.vuln?.should == false
data/spec/lib/kb/cve_2015_3227_spec.rb CHANGED
@@ -16,6 +16,10 @@ describe "The CVE-2015-3227 vulnerability" do
16
16
  @check.dependencies = [{:name=>"activesupport", :version=>'4.1.12'}]
17
17
  @check.vuln?.should == false
18
18
  end
19
+ it "is not reported when safe active_support gem is used (4.1.13)" do
20
+ @check.dependencies = [{:name=>"activesupport", :version=>'4.1.13'}]
21
+ @check.vuln?.should == false
22
+ end
19
23
  it "is not reported when safe active_support gem is used (4.2.3)" do
20
24
  @check.dependencies = [{:name=>"activesupport", :version=>'4.2.3'}]
21
25
  @check.vuln?.should == false
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dawnscanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 1.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
30
30
  1zH2rpK27DW5pOeHUEJn31+gGd111ogP5tYruPV7Qgfy2jUrUPmP67v7nRNlgd84
31
31
  Z5mHj9jGk4wgMQy2pk4GDwsXiirZfI0z2WZfySqEldE=
32
32
  -----END CERTIFICATE-----
33
- date: 2015-09-16 00:00:00.000000000 Z
33
+ date: 2015-10-13 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: cvss
@@ -295,6 +295,7 @@ files:
295
295
  - checksum/dawnscanner-1.3.0.gem.sha1
296
296
  - checksum/dawnscanner-1.3.1.gem.sha1
297
297
  - checksum/dawnscanner-1.3.5.gem.sha1
298
+ - checksum/dawnscanner-1.4.0.gem.sha1
298
299
  - dawnscanner.gemspec
299
300
  - doc/codesake-dawn.yaml.sample
300
301
  - doc/dawn_1_0_announcement.md
metadata.gz.sig CHANGED
Binary file