GHSA SYNC: 3 modified advisory; 3 new advisory (#978)

Author: jasnow

rubies/mruby/CVE-2020-36401.yml

@@ -0,0 +1,28 @@
+---
+engine: mruby
+cve: 2020-36401
+ghsa: qq64-7fh7-7hmw
+url: https://nvd.nist.gov/vuln/detail/CVE-2020-36401
+title: double free vulnerabliity
+date: 2021-06-30
+description: |
+  mruby 2.1.2 has a double free in mrb_default_allocf (called
+  from mrb_free and obj_free).
+
+  # RELEASE NOTES
+
+  Cloned "mruby" repo, ran "git fetch --all --tags", then
+  "git tag --contains 97319697c8f9f6ff27b32589947e1918e3015503"
+   and got "3.0.0-preview, 3.0.0-rc, 3.0.0, ... 3.4.0-rc2".
+cvss_v2: 6.8
+cvss_v3: 7.8
+patched_versions:
+  - ">= 3.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-36401
+    - https://mruby.org/releases/2021/03/05/mruby-3.0.0-released.html
+    - https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
+    - https://issues.oss-fuzz.com/issues/42485317
+    - https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml
+    - https://github.com/advisories/GHSA-qq64-7fh7-7hmw

rubies/ruby/CVE-2006-1931.yml

@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2006-1931
+osvdb: 24972
+ghsa: j98g-25wq-62h9
+url: https://nvd.nist.gov/vuln/detail/CVE-2006-1931
+title: Ruby http/xmlrpc server DoS
+date: 2006-04-20
+description: |
+  The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets,
+  which allows attackers to cause a denial of service
+  (blocked connections) via a large amount of data.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.8.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2006-1931
+    - https://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch
+    - https://security.gentoo.org/glsa/200605-11
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/26102
+    - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540
+    - https://web.archive.org/web/20201208004659/https://usn.ubuntu.com/273-1
+    - https://web.archive.org/web/20070430022104/http://www.debian.org/security/2006/dsa-1157
+    - https://web.archive.org/web/20061128124605/http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/27787
+    - https://github.com/advisories/GHSA-j98g-25wq-62h9

rubies/ruby/CVE-2009-5147.yml

@@ -1,14 +1,30 @@
 ---
 engine: ruby
 cve: 2009-5147
-url: https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/
-title: Ruby DL::dlopen could open a library with tainted library name even if $SAFE
-  > 0
+ghsa: mmq8-m72q-qgm4
+url: https://nvd.nist.gov/vuln/detail/CVE-2009-5147
+title: Ruby DL::dlopen could open a library with tainted library
+  name even if $SAFE > 0
 date: 2009-05-12
 description: |
   DL::dlopen could open a library with tainted library name even if $SAFE > 0
+cvss_v2: 7.5
+cvss_v3: 7.3
 unaffected_versions:
   - "< 1.9.1"
   - ">= 1.9.2"
 patched_versions:
   - "~> 1.9.1.129"
+  - ">= 2.1.8"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-5147
+    - https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-1-8-released
+    - https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released
+    - https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
+    - https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e
+    - http://seclists.org/oss-sec/2015/q3/222
+    - https://bugzilla.redhat.com/show_bug.cgi?id=1248935
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - https://github.com/advisories/GHSA-mmq8-m72q-qgm4
+    - https://web.archive.org/web/20200227161903/https://www.securityfocus.com/bid/76060

rubies/ruby/CVE-2015-7551.yml

@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2015-7551
-url: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
+ghsa: m9xr-x5mq-4fp5
+url: https://nvd.nist.gov/vuln/detail/CVE-2015-7551
 title: Unsafe tainted string usage in Fiddle and DL
 date: 2015-12-16
 description: |
@@ -10,10 +11,25 @@ description: |
   was reimplemented using Fiddle and libffi.
   And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other
   branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.
+cvss_v2: 4.6
+cvss_v3: 8.4
+unaffected_versions:
+  - "~> 1.9.1.129"
 patched_versions:
   - "~> 2.0.0.648"
   - "~> 2.1.8"
   - "~> 2.2.4"
   - ">= 2.3.0"
-unaffected_versions:
-  - "~> 1.9.1.129"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-7551
+    - https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551
+    - https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
+    - https://ubuntu.com/security/CVE-2015-7551
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796551
+    - https://www.oracle.com/security-alerts/bulletinapr2016.html
+    - https://web.archive.org/web/20161001113255/http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
+    - https://web.archive.org/web/20181112082809/https://puppet.com/security/cve/ruby-dec-2015-security-fixes
+    - https://github.com/advisories/GHSA-m9xr-x5mq-4fp5

rubies/ruby/CVE-2017-0898.yml

@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2017-0898
-url: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-0898
+ghsa: wvmx-3rv2-5jgf
 title: Buffer underrun vulnerability in Kernel.sprintf
 date: 2017-09-14
 description: |
@@ -13,7 +14,24 @@ description: |
   the Ruby interpreter may crash.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 6.4
+cvss_v3: 9.1
 patched_versions:
   - "~> 2.2.8"
   - "~> 2.3.5"
   - ">= 2.4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-0898
+    - https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898
+    - https://hackerone.com/reports/212241
+    - https://access.redhat.com/errata/RHSA-2017:3485
+    - https://access.redhat.com/errata/RHSA-2018:0378
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - https://access.redhat.com/errata/RHSA-2018:0585
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://security.gentoo.org/glsa/201710-18
+    - https://www.debian.org/security/2017/dsa-4031
+    - https://ubuntu.com/security/notices/USN-3685-1
+    - https://web.archive.org/web/20200227145420/https://www.securityfocus.com/bid/100862
+    - https://github.com/advisories/GHSA-wvmx-3rv2-5jgf

rubies/ruby/CVE-2021-32066.yml

@@ -0,0 +1,37 @@
+---
+engine: ruby
+cve: 2021-32066
+ghsa: gx49-h5r3-q3xj
+url: https://nvd.nist.gov/vuln/detail/CVE-2021-32066
+title: imap - StartTLS stripping attack
+date: 2021-08-01
+description: |
+  An issue was discovered in Ruby through
+  2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
+  Net::IMAP does not raise an exception when StartTLS fails with
+  an an unknown response, which might allow man-in-the-middle
+  attackers to bypass the TLS protections by leveraging a network
+  position between the client and the registry to block the
+  StartTLS command, aka a "StartTLS stripping attack."
+cvss_v2: 5.8
+cvss_v3: 7.4
+patched_versions:
+  - "~> 2.6.8"
+  - "~> 2.7.4"
+  - ">= 3.0.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32066
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap
+    - https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
+    - https://hackerone.com/reports/1178562
+    - https://osv.dev/vulnerability/BIT-ruby-2021-32066?utm_source=copilot.com
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
+    - https://www.oracle.com/security-alerts/cpuapr2022.html
+    - https://security.netapp.com/advisory/ntap-20210902-0004
+    - https://security.gentoo.org/glsa/202401-27
+    - https://github.com/advisories/GHSA-gx49-h5r3-q3xj