mrjoy-bundler-audit 0.3.2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 37d67a169ac19c5c1b329c949c4af7dd044876bd
-  data.tar.gz: efbdd7e8335a6f685f77f45bfa6e4d3f4f10804f
+  metadata.gz: 61f5df0b26d555b3c6090841a2e650dc5727dfc8
+  data.tar.gz: 2b8d065557c8713ced0d20ece4733656def2c4e1
 SHA512:
-  metadata.gz: c09b134df68524a62017773ca38bfb95cb10a9cd91a46fde8ba3686fd85910231cc85e9a463b9cd1fb925084311780121b1564e213b108aa2729e5d67f87ca2c
-  data.tar.gz: 966ebb4387b593babd08f303530c7f2f32d7771e622d0371dd687222ee4f12d8f49167c8dcff091ce3c6534fe1fcdb200cdbe0b1cfa5e865cb67ceb078ee6abc
+  metadata.gz: 43deec103a419b873f440cffcab2e681a3dc2f7810588d57d78efb180ab46c902e9b31888aab6dd8793620a97a4bf5e3775b5f404a80d6cb535d74622538ec94
+  data.tar.gz: dd7976caed4e730d05d6d45dc5db2c5b7c65b97930112c401a2e5eecf561549ae2ab677bf741cdae2a9f1b3dba694a87d0edd48967f3b416975220ee60ecc380

data/.ruby-gemset

@@ -0,0 +1 @@
+bundler-audit

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.1.1-p0

data/.travis.yml

@@ -3,3 +3,5 @@ rvm:
   - 1.9.2
   - 1.9.3
   - 2.0.0
+  - 2.1.0
+  - 2.1.1

data/ChangeLog.md

@@ -1,3 +1,13 @@
+### mrjoy-0.3.3 / 2014-04-15
+
+* Fix development-mode code loading issue.
+* Update Travis config to include Ruby 2.1.0 and 2.1.1.
+* Improve test suite to 90+% code coverage.
+* Fix a couple Ruby 1.9-isms.
+* Freshen included vulnerability DB.
+* Incorporate upstream changes, including fix for Bundler-vendored Thor
+  creating a conflict.
+
 ### mrjoy-0.3.2 / 2013-11-04
 
 * Fix for [serious issue](https://github.com/rubysec/bundler-audit/issues/48)
@@ -14,6 +24,14 @@
 * Make regression test more resilient and more bulletproof.
 * Integrate grosser's mechanism for [DRYing up tests a bit](https://github.com/grosser/bundler-audit/commit/8568f936fe86eb92c95d63ef3c0a33bffd3aeee9).
 
+### 0.3.1 / 2013-12-03
+
+* Store the timestamp of when `data/ruby-advisory-db` was last updated in
+  `data/ruby-advisory-db.ts`.
+* Use `data/ruby-advisory-db.ts` instead of the creation time of the
+  `dataruby-advisory-db` directory, which is always the install time
+  of the rubygem.
+
 ### 0.3.0 / 2013-10-31
 
 * Added {Bundler::Audit::Database.update!} which uses `git` to download

data/Gemfile

@@ -8,7 +8,7 @@ group :development do
   gem 'rake',           '~> 10.0', :require => false
   gem 'kramdown',       '~> 0.14'
 
-  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rubygems-tasks', '~> 0.2', :require => false
   gem 'rspec',          '~> 2.4', :require => false
   gem 'yard',           '~> 0.8', :require => false
   gem 'simplecov',      '~> 0.7', :require => false

data/README.md

@@ -30,6 +30,7 @@ Patch-level verification for [Bundler][bundler].
   quality, and easier contribution.
 * Simplified code (see CodeClimate results) to enable more easily reasoning
   about the code.
+* Improve the upstream version's excellent 95.82% C1 covde coverage to 100%.
 
 ## Synopsis
 
@@ -122,6 +123,8 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 ## Requirements
 
+* [RubyGems] >= 1.8
+* [thor] ~> 0.18
 * [bundler] ~> 1.2
 * [RubyGems] >= 1.8
 
@@ -160,8 +163,8 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with mrjoy-bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
+[RubyGems]: https://rubygems.org
+[thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [OSVDB]: http://osvdb.org/
-
-[RubyGems]: https://rubygems.org

data/Rakefile

@@ -11,7 +11,7 @@ rescue LoadError => e
 end
 
 begin
-  Bundler.setup(:development)
+  Bundler.setup(:default, :development)
 rescue Bundler::BundlerError => e
   warn e.message
   warn "Run `bundle install` to install missing gems."
@@ -19,6 +19,7 @@ rescue Bundler::BundlerError => e
 end
 
 require 'rake'
+require 'time'
 
 require 'rubygems/tasks'
 Gem::Tasks.new
@@ -26,25 +27,18 @@ Gem::Tasks.new
 namespace :db do
   desc 'Updates data/ruby-advisory-db'
   task :update do
-    vendored_ctime = nil
+    timestamp = nil
+
     chdir 'data/ruby-advisory-db' do
       sh 'git', 'pull', 'origin', 'master'
-      vendored_ctime = `git log --pretty="%cd" -1`.chomp
-    end
-    File.open("lib/bundler/audit/vendored_time.rb", "w") do |fh|
-      fh.write(%Q{
-# WARNING: DO NOT EDIT THIS FILE BY HAND.  IT IS AUTO-GENERATED!
-module Bundler
-  module Audit
-    class Database
-      VENDORED_REPO_CTIME = Time.parse("#{vendored_ctime}")
-    end
-  end
-end
-})
+
+      File.open('../ruby-advisory-db.ts','w') do |file|
+        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+      end
     end
 
     sh 'git', 'commit', 'data/ruby-advisory-db',
+                        'data/ruby-advisory-db.ts',
                         '-m', 'Updated ruby-advisory-db'
   end
 end
@@ -58,13 +52,7 @@ namespace :spec do
 
     %w[secure unpatched_gems insecure_sources].each do |bundle|
       chdir(File.join(root,bundle)) do
-        begin
-          sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
-        rescue
-          exit(1) if(!File.exist?('Gemfile.lock'))
-          puts "Looks like Gemfile may have been updated.  Attempting to update things."
-          sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle update'
-        end
+        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
       end
     end
   end
@@ -77,3 +65,8 @@ task :default => :spec
 require 'yard'
 YARD::Rake::YardocTask.new
 task :doc => :yard
+
+require './lib/bundler/audit/task'
+Bundler::Audit::Task.new do |r|
+  r.verbose = true
+end

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -12,3 +12,13 @@ Thanks,
 * [Larry W. Cashdollar](http://vapid.dhs.org/)
 * [Michael Grosser](https://github.com/grosser)
 * [Sascha Korth](https://github.com/skorth)
+* [David Radcliffe](https://github.com/dwradcliffe)
+* [Jörg Schiller](https://github.com/joergschiller)
+* [Derek Prior](https://github.com/derekprior)
+* [Joel Chippindale](https://github.com/mocoso)
+* [Josef Šimánek](https://github.com/simi)
+* [Amiel Martin](https://github.com/amiel)
+* [Eric Hodel](https://github.com/drbrain)
+* [Jeremy Olliver](https://github.com/jeremyolliver)
+* [Vasily Vasinov](https://github.com/vasinov)
+* [Phill MV](https://twitter.com/phillmv)

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml

@@ -0,0 +1,20 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6415
+osvdb: 100524
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
+title: XSS Vulnerability in number_to_currency
+date: 2013-12-03
+
+description: |
+  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
+  The number_to_currency helper allows users to nicely format a numeric value. One
+  of the parameters to the helper (unit) is not escaped correctly.  Applications
+  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml

@@ -0,0 +1,21 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6414
+osvdb: 100525
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
+title: Denial of Service Vulnerability in Action View
+date: 2013-12-03
+
+description: |
+  There is a denial of service vulnerability in the header handling component of 
+  Action View.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml

@@ -0,0 +1,27 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6416
+osvdb: 100526
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
+title: XSS Vulnerability in simple_format helper
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the simple_format helper in Ruby on Rails.
+  The simple_format helper converts user supplied text into html text 
+  which is intended to be safe for display. A change made to the 
+  implementation of this helper means that any user provided HTML 
+  attributes will not be escaped correctly. As a result of this error, 
+  applications which pass user-controlled data to be included as html 
+  attributes will be vulnerable to an XSS attack.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+  - ~> 3.1.0
+  - ~> 3.2.0
+
+patched_versions:
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6417
+osvdb: 100527
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
+title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
+date: 2013-12-03
+
+description: |
+  The prior fix to CVE-2013-0155 was incomplete and the use of common
+  3rd party libraries can accidentally circumvent the protection. Due
+  to the way that Rack::Request and Rails::Request interact, it is
+  possible for a 3rd party or custom rack middleware to parse the
+  parameters insecurely and store them in the same key that Rails uses
+  for its own parameters.  In the event that happens the application
+  will receive unsafe parameters and could be vulnerable to the earlier
+  vulnerability. 
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-4491
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: Reflective XSS Vulnerability in Ruby on Rails
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the internationalization component of Ruby on
+  Rails. Under certain common configurations an attacker can provide specially
+  crafted input which will execute a reflective XSS attack.
+  
+  The root cause of this issue is a vulnerability in the i18n gem which has
+  been assigned the identifier CVE-2013-4492.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0081
+osvdb: 103439
+url: http://osvdb.org/show/osvdb/103439
+title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the actionpack/lib/action_view/helpers/number_helper.rb
+  script does not validate input to the 'number_to_currency', 'number_to_percentage',
+  and 'number_to_human' helpers before returning it to users. This may allow a
+  remote attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.17
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0082
+osvdb: 103440
+url: http://osvdb.org/show/osvdb/103440
+title: Denial of Service Vulnerability in Action View when using render :text
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
+  in the text rendering component of Action View that is triggered when
+  handling MIME types that are converted to symbols. This may allow a
+  remote attacker to cause a denial of service.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 4.0.0
+
+patched_versions:
+  - ">= 3.2.17"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml

@@ -0,0 +1,23 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-0080
+osvdb: 103438
+url: http://osvdb.org/show/osvdb/103438
+title: Data Injection Vulnerability in Active Record
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
+  in Active Record. This issue may allow a remote attacker to inject data
+  into PostgreSQL array columns via a specially crafted string.
+
+cvss_v2: 
+
+unaffected_versions:
+  - "< 3.2.0"
+  - ~> 3.2.0
+
+patched_versions:
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml

@@ -0,0 +1,15 @@
+---
+gem: Arabic-Prawn
+osvdb: 104365
+url: http://osvdb.org/show/osvdb/104365
+title: Arabic-Prawn Gem for Ruby contains a flaw
+date: 2014-03-10
+
+description: |
+  Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
+  file. The issue is due to the program failing to sanitize user input. This may
+  allow a remote attacker to inject arbitrary commands.
+
+cvss_v2:
+
+patched_versions:

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml

@@ -8,8 +8,8 @@ date: 2013-10-22
 description: Cocaine Gem for Ruby contains a flaw that is due to the method
   of variable interpolation used by the program. With a specially crafted
   object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2:
+cvss_v2: 6.8
 unaffected_versions:
-  - ~> 0.3.0
+  - < 0.4.0
 patched_versions: 
   - '>= 0.5.3'

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml

@@ -10,7 +10,7 @@ description: |
   context-dependent attacker to potentially execute arbitrary code.
 date: 2013-01-09
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 
 patched_versions:
   - ">= 0.3.2"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml

@@ -8,5 +8,5 @@ date: 2013-03-12
 
 description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 

data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml

@@ -0,0 +1,11 @@
+---
+gem: echor
+osvdb: 102129
+url: http://osvdb.org/show/osvdb/102129
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request function that is triggered when
+  a semi-colon (;) is injected into a username or password. This may allow a context-dependent attacker to inject
+  arbitrary commands if the gem is used in a rails application.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml

@@ -0,0 +1,10 @@
+---
+gem: echor
+osvdb: 102130
+url: http://osvdb.org/show/osvdb/102130
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the
+  system process listing. This may allow a local attacker to gain access to plaintext credential information.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml

@@ -0,0 +1,14 @@
+---
+gem: gitlab-grit
+cve: 2013-4489
+osvdb: 99370
+url: http://www.osvdb.org/show/osvdb/99370
+title: GitLab Grit Gem for Ruby contains a flaw
+date: 2013-11-04
+description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
+  The issue is triggered when input passed via the code search box is not properly sanitized,
+  which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
+  execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - '>= 2.6.1'

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml

@@ -1,19 +1,14 @@
 ---
 gem: httparty
-cve: 2013-1802
+cve: 2013-1801
 osvdb: 90741
 url: http://osvdb.org/show/osvdb/90741
-title:
-  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
 date: 2013-01-14
-
 description: |
   httparty Gem for Ruby contains a flaw that is triggered when a type casting
   error occurs during the parsing of parameters. This may allow a
   context-dependent attacker to potentially execute arbitrary code.
-
-cvss_v2: 9.3
-
+cvss_v2: 7.5
 patched_versions:
   - ">= 0.10.0"
-

data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml

@@ -0,0 +1,17 @@
+---
+gem: i18n
+cve: 2013-4492
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: i18n missing translation error message XSS
+date: 2013-12-03
+
+description: |
+  The HTML exception message raised by I18n::MissingTranslation fails
+  to escape the keys.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 0.5.1
+  - '>= 0.6.6'

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml

@@ -0,0 +1,12 @@
+---
+gem: nokogiri
+cve: 2013-6460
+osvdb: 101179
+url: http://www.osvdb.org/show/osvdb/101179
+title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
+date: 2013-12-14
+description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml

@@ -0,0 +1,15 @@
+---
+gem: nokogiri
+cve: 2013-6461
+osvdb: 101458
+url: http://www.osvdb.org/show/osvdb/101458
+title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS 
+date: 2013-12-14
+description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
+  The issue is due to an incorrectly configured XML parser accepting XML external entities from
+  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
+  loop and crash the program.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml

@@ -11,7 +11,7 @@ description: |
   to execute arbitrary code. This vulnerability has to do with type casting
   during parsing, and is related to CVE-2013-0156.
 
-cvss_v2: 10.0
+cvss_v2: 7.5
 
 patched_versions:
   - ~> 1.0.3

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml

@@ -0,0 +1,22 @@
+---
+gem: omniauth-facebook
+cve: 2013-4562
+osvdb: 99693
+url: http://www.osvdb.org/show/osvdb/99693
+title: omniauth-facebook Gem for Ruby Unspecified CSRF 
+date: 2013-11-12
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
+  require multiple steps, explicit confirmation, or a unique token when
+  performing certain sensitive actions. By tricking a user into following
+  a specially crafted link, a context-dependent attacker can perform a
+  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
+  perform an unspecified action.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.0"
+unaffected_versions:
+  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml

@@ -0,0 +1,17 @@
+---
+gem: omniauth-facebook
+cve: 2013-4593
+osvdb: 99888
+url: http://www.osvdb.org/show/osvdb/99888
+title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass 
+date: 2013-11-14
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
+  supporting passing the access token via the URL. This may allow a remote
+  attacker to bypass authentication and authenticate as another user.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml

@@ -0,0 +1,13 @@
+---
+gem: paperclip
+osvdb: 103151
+url: http://osvdb.org/show/osvdb/103151
+title: Paperclip Gem for Ruby contains a flaw
+date: 2014-01-31
+description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
+  validate the file extension, instead only validating the Content-Type header during file uploads.
+  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
+  spoofing the content-type.
+cvss_v2:
+patched_versions:
+  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml

@@ -0,0 +1,12 @@
+---
+gem: paratrooper-newrelic
+cve: 2014-1234
+osvdb: 101839
+url: http://www.osvdb.org/show/osvdb/101839
+title: Paratrooper-newrelic Gem for Ruby contains a flaw
+date: 2014-01-08
+description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
+  The issue is triggered when the script exposes the API key, allowing a local attacker to
+  gain access to it by monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml

@@ -0,0 +1,13 @@
+---
+gem: paratrooper-pingdom
+cve: 2014-1233
+osvdb: 101847
+url: http://www.osvdb.org/show/osvdb/101847
+title: Paratrooper-pingdom Gem for Ruby contains a flaw
+date: 2013-12-26
+description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
+  The issue is triggered when the script exposes API login credentials, allowing a local
+  attacker to gain access to the API key, username, and password for the API login by
+  monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml

@@ -14,7 +14,7 @@ description: |
   code. This attack is more practical against 'cloud' users as intra-cloud
   latencies are sufficiently low to make the attack viable.
 
-cvss_v2: 7.6
+cvss_v2: 5.1
 patched_versions: 
 - ~> 1.1.6
 - ~> 1.2.8

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml

@@ -0,0 +1,20 @@
+---
+gem: rbovirt
+cve: 2014-0036
+osvdb: 104080
+url: http://osvdb.org/show/osvdb/104080
+title: rbovirt Gem for Ruby contains a flaw
+date: 2014-03-05
+
+description: |
+  rbovirt Gem for Ruby contains a flaw related to certificate validation.
+  The issue is due to the program failing to validate SSL certificates. This may
+  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
+  poisoning) to spoof the SSL server via an arbitrary certificate that appears
+  valid. Such an attack would allow for the interception of sensitive traffic,
+  and potentially allow for the injection of content into the SSL stream.
+
+cvss_v2:
+
+patched_versions:
+  - '>= 0.0.24'