GHSA SYNC: 1 new advisory; 4 modified advisories

Author: jasnow

rubies/ruby/CVE-2007-5770.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2007-5770
+ghsa: mf83-c25g-48r6
 url: http://www.cvedetails.com/cve/CVE-2007-5770/
 title: Ruby Net::HTTPS library does not validate server certificate CN
 date: 2007-10-08
@@ -15,3 +16,12 @@ cvss_v2: 4.3
 patched_versions:
   - "~> 1.8.6.230"
   - ">= 1.8.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2007-5770
+    - https://bugzilla.redhat.com/show_bug.cgi?id=362081
+    - http://www.debian.org/security/2007/dsa-1410
+    - http://www.debian.org/security/2007/dsa-1411
+    - http://www.debian.org/security/2007/dsa-1412
+    - https://ubuntu.com/security/notices/USN-596-1
+    - https://github.com/advisories/GHSA-mf83-c25g-48r6

rubies/ruby/CVE-2009-0642.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2009-0642
+ghsa: 4gvm-4mw2-9fpv
 url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
 title: Ruby 'OCSP_basic_verify()' X.509 Certificate Verification Vulnerability
 date: 2009-01-29
@@ -15,3 +16,12 @@ patched_versions:
   - "~> 1.8.7.173"
   - "~> 1.9.1.129"
   - ">= 1.9.2.preview.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-0642
+    - https://web.archive.org/web/20111209131753/http://redmine.ruby-lang.org/issues/show/1091
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
+    - https://ubuntu.com/security/notices/USN-805-1
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/48761
+    - https://www.invicti.com/web-application-vulnerabilities/ruby-improper-authentication-vulnerability-cve-2009-0642
+    - https://github.com/advisories/GHSA-4gvm-4mw2-9fpv

rubies/ruby/CVE-2012-4464.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2012-4464
+ghsa: gjcp-rx5c-g849
 url: https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
 title: Ruby Exception#to_s / NameError#to_s Methods Safe Level Security Bypass
 date: 2012-10-12
@@ -15,3 +16,8 @@ cvss_v2: 5.0
 patched_versions:
   - "~> 1.8.7.371"
   - ">= 1.9.3.286"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-4464
+    - https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466
+    - https://github.com/advisories/GHSA-gjcp-rx5c-g849

rubies/ruby/CVE-2014-6438.yml

@@ -0,0 +1,23 @@
+---
+engine: ruby
+cve: 2014-6438
+ghsa: 2j3h-55rq-rj48
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-6438
+title: DoS Vulnerability associated with URI.decode_www_form_component method
+date: 2017-09-06
+description: |
+  The URI.decode_www_form_component method in Ruby before 1.9.2-p330
+  allows remote attackers to cause a denial of service (catastrophic
+  regular expression backtracking, resource consumption, or application
+  crash) via a crafted string.
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.9.2.p330"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-6438
+    - https://www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released
+    - https://github.com/ruby/www.ruby-lang.org/issues/817
+    - http://www.openwall.com/lists/oss-security/2015/07/13/6
+    - https://github.com/advisories/GHSA-2j3h-55rq-rj48

rubies/ruby/CVE-2022-28739.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2022-28739
+ghsa: mvgc-rxvg-hqc6
 url: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
 title: Buffer overrun in String-to-Float conversion
 date: 2022-04-12
@@ -10,8 +11,15 @@ description: |
   Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.
 
   Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.
+cvss_v2: 4.3
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.6.10"
   - "~> 2.7.6"
   - "~> 3.0.4"
   - ">= 3.1.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-28739
+    - https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739
+    - https://github.com/advisories/GHSA-mvgc-rxvg-hqc6