GHSA SYNC: 2 modified and 2 new advisories

Author: jasnow

rubies/ruby/CVE-2006-1931.yml

@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2006-1931
+osvdb: 24972
+ghsa: j98g-25wq-62h9
+url: https://nvd.nist.gov/vuln/detail/CVE-2006-1931
+title: Ruby http/xmlrpc server DoS
+date: 2006-04-20
+description: |
+  The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets,
+  which allows attackers to cause a denial of service 
+  (blocked connections) via a large amount of data.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.8.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2006-1931
+    - https://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch
+    - https://security.gentoo.org/glsa/200605-11
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/26102
+    - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540
+    - https://web.archive.org/web/20201208004659/https://usn.ubuntu.com/273-1
+    - https://web.archive.org/web/20070430022104/http://www.debian.org/security/2006/dsa-1157
+    - https://web.archive.org/web/20061128124605/http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/27787
+    - https://github.com/advisories/GHSA-j98g-25wq-62h9

rubies/ruby/CVE-2009-5147.yml

@@ -1,14 +1,28 @@
 ---
 engine: ruby
 cve: 2009-5147
-url: https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/
-title: Ruby DL::dlopen could open a library with tainted library name even if $SAFE
-  > 0
+ghsa: mmq8-m72q-qgm4
+url: https://nvd.nist.gov/vuln/detail/CVE-2009-5147
+title: Ruby DL::dlopen could open a library with tainted library
+  name even if $SAFE > 0
 date: 2009-05-12
 description: |
   DL::dlopen could open a library with tainted library name even if $SAFE > 0
+cvss_v2: 7.5
+cvss_v3: 7.3
 unaffected_versions:
   - "< 1.9.1"
   - ">= 1.9.2"
 patched_versions:
   - "~> 1.9.1.129"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-5147
+    - https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released
+    - https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
+    - https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e
+    - http://seclists.org/oss-sec/2015/q3/222
+    - https://bugzilla.redhat.com/show_bug.cgi?id=1248935
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - https://github.com/advisories?query=GHSA-mmq8-m72q-qgm4
+    - https://web.archive.org/web/20200227161903/https://www.securityfocus.com/bid/76060

rubies/ruby/CVE-2015-7551.yml

@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2015-7551
-url: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
+ghsa: m9xr-x5mq-4fp5
+url: https://nvd.nist.gov/vuln/detail/CVE-2015-7551
 title: Unsafe tainted string usage in Fiddle and DL
 date: 2015-12-16
 description: |
@@ -10,10 +11,25 @@ description: |
   was reimplemented using Fiddle and libffi.
   And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other
   branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.
+cvss_v2: 4.6
+cvss_v3: 8.4
+unaffected_versions:
+  - "~> 1.9.1.129"
 patched_versions:
   - "~> 2.0.0.648"
   - "~> 2.1.8"
   - "~> 2.2.4"
   - ">= 2.3.0"
-unaffected_versions:
-  - "~> 1.9.1.129"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-7551
+    - https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551
+    - https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
+    - https://ubuntu.com/security/CVE-2015-7551
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796551
+    - https://www.oracle.com/security-alerts/bulletinapr2016.html
+    - https://web.archive.org/web/20161001113255/http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
+    - https://web.archive.org/web/20181112082809/https://puppet.com/security/cve/ruby-dec-2015-security-fixes
+    - https://github.com/advisories/GHSA-m9xr-x5mq-4fp5

rubies/ruby/CVE-2021-32066.yml

@@ -0,0 +1,37 @@
+---
+engine: ruby
+cve: 2021-32066
+ghsa: gx49-h5r3-q3xj
+url: https://nvd.nist.gov/vuln/detail/CVE-2021-32066
+title: imap - StartTLS stripping attack
+date: 2021-08-01
+description: |
+  An issue was discovered in Ruby through
+  2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
+  Net::IMAP does not raise an exception when StartTLS fails with
+  an an unknown response, which might allow man-in-the-middle
+  attackers to bypass the TLS protections by leveraging a network
+  position between the client and the registry to block the
+  StartTLS command, aka a "StartTLS stripping attack."
+cvss_v2: 5.8
+cvss_v3: 7.4
+patched_versions:
+  - "~> 2.6.8"
+  - "~> 2.7.4"
+  - ">= 3.0.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32066
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap
+    - https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
+    - https://hackerone.com/reports/1178562
+    - https://osv.dev/vulnerability/BIT-ruby-2021-32066?utm_source=copilot.com
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
+    - https://www.oracle.com/security-alerts/cpuapr2022.html
+    - https://security.netapp.com/advisory/ntap-20210902-0004
+    - https://security.gentoo.org/glsa/202401-27
+    - https://github.com/advisories/GHSA-gx49-h5r3-q3xj