6 modified ruby advisories; 2 new jruby advisories (#986)

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>

Author: jasnow

rubies/jruby/CVE-2017-17742.yml

@@ -0,0 +1,23 @@
+---
+engine: jruby
+cve: 2017-17742
+ghsa: 7p4c-jf2w-hc3w
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+title: HTTP response splitting attack in WEBrick
+date: 2018-04-03
+description: |
+  Allows an HTTP Response Splitting attack. An attacker can
+  inject a crafted key and value into an HTTP response for
+  the HTTP server of WEBrick.
+cvss_v2: 5.0
+cvss_v3: 5.3
+patched_versions:
+  - ">= 9.2.12.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+    - https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://github.com/advisories/GHSA-7p4c-jf2w-hc3w

rubies/jruby/CVE-2018-8778.yml

@@ -0,0 +1,29 @@
+---
+engine: jruby
+cve: 2018-8778
+ghsa: wvhq-ch4h-8pwr
+url: https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+title: Buffer under-read in String#unpack
+date: 2018-04-03
+description: |
+  An attacker controlling the unpacking format (similar to format
+  string vulnerabilities) can trigger a buffer under-read in the
+  String#unpack method, resulting in a massive and controlled
+  information disclosure.
+
+  `String#unpack` receives format specifiers as its parameter, and can be
+  specified the position of parsing the data by the specifier `@`. If a big
+  number is passed with `@`, the number is treated as the negative value, and
+  out-of-buffer read is occurred. So, if a script accepts an external input as
+  the argument of `String#unpack`, the attacker can read data on heaps.
+
+  All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 9.2.12.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+    - https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
+    - https://github.com/advisories/GHSA-wvhq-ch4h-8pwr

rubies/ruby/CVE-2017-17742.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2017-17742
+ghsa: 7p4c-jf2w-hc3w
 url: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
 title: HTTP response splitting in WEBrick
 date: 2018-03-28
@@ -14,9 +15,31 @@ description: |
   to the clients.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 5.3
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+    - https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://ubuntu.com/security/notices/USN-3685-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-7p4c-jf2w-hc3w

rubies/ruby/CVE-2018-16396.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-16396
+ghsa: xh4x-ph6p-vmxh
 url: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
 title: Tainted flags not always propogated in Array#pack and String#unpack
 date: 2018-10-17
@@ -19,8 +20,29 @@ description: |
   wrong.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 6.0
+cvss_v3: 8.1
 patched_versions:
   - "~> 2.3.8"
   - "~> 2.4.5"
   - "~> 2.5.2"
   - ">= 2.6.0-preview3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-16396
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396
+    - https://hackerone.com/reports/385070
+    - https://ubuntu.com/security/notices/USN-3808-1
+    - https://www.debian.org/security/2018/dsa-4332
+    - https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://security.netapp.com/advisory/ntap-20190221-0002/
+    - https://github.com/advisories/GHSA-xh4x-ph6p-vmxh

rubies/ruby/CVE-2018-6914.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-6914
+ghsa: wpg3-wgm5-rv8w
 url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
 title: Unintentional file and directory creation with directory traversal in tempfile
   and tmpdir
@@ -20,9 +21,31 @@ description: |
   any directory.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-6914
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/
+    - https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-wpg3-wgm5-rv8w

rubies/ruby/CVE-2018-8777.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-8777
+ghsa: 9j6f-82h4-9mw2
 url: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
 title: DoS by large request in WEBrick
 date: 2018-03-28
@@ -13,9 +14,34 @@ description: |
   DoS attack.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8777
+    - https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://usn.ubuntu.com/3685-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - https://access.redhat.com/errata/RHSA-2020:0542
+    - https://access.redhat.com/errata/RHSA-2020:0591
+    - https://access.redhat.com/errata/RHSA-2020:0663
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-9j6f-82h4-9mw2

rubies/ruby/CVE-2018-8778.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-8778
+ghsa: wvhq-ch4h-8pwr
 url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
 title: Buffer under-read in String#unpack
 date: 2018-03-28
@@ -12,9 +13,31 @@ description: |
   the argument of `String#unpack`, the attacker can read data on heaps.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+    - https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-wvhq-ch4h-8pwr

rubies/ruby/CVE-2018-8779.yml

@@ -20,9 +20,31 @@ description: |
   path.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8779
+    - https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-mwq4-948j-88c5