From f8ab84eebb2b2df8b56d8dd2e30d3d321e54680e Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 1 Feb 2026 16:35:36 -0500 Subject: [PATCH 1/8] GHSA SYNC: 1 modified advisory; 1 new advisory --- rubies/mruby/CVE-2020-36401.yml | 28 ++++++++++++++++++++++++++++ rubies/ruby/CVE-2017-0898.yml | 25 ++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 rubies/mruby/CVE-2020-36401.yml diff --git a/rubies/mruby/CVE-2020-36401.yml b/rubies/mruby/CVE-2020-36401.yml new file mode 100644 index 0000000000..1cc2fdf38a --- /dev/null +++ b/rubies/mruby/CVE-2020-36401.yml @@ -0,0 +1,28 @@ +--- +engine: mruby +cve: 2020-36401 +ghsa: qq64-7fh7-7hmw +url: https://nvd.nist.gov/vuln/detail/CVE-2020-36401 +title: double free vulnerabliity +date: 2021-06-30 +description: | + mruby 2.1.2 has a double free in mrb_default_allocf (called + from mrb_free and obj_free). + + # RELEASE NOTES + + Cloned "mruby" repo, ran "git fetch --all --tags", then + "git tag --contains 97319697c8f9f6ff27b32589947e1918e3015503" + and got "3.0.0-preview, 3.0.0-rc, 3.0.0, ... 3.4.0-rc2". +cvss_v2: 6.8 +cvss_v3: 7.8 +patched_versions: + - ">= 3.0.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2020-36401 + - https://mruby.org/releases/2021/03/05/mruby-3.0.0-released.html + - https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 + - https://issues.oss-fuzz.com/issues/42485317 + - https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml + - https://github.com/advisories/GHSA-qq64-7fh7-7hmw diff --git a/rubies/ruby/CVE-2017-0898.yml b/rubies/ruby/CVE-2017-0898.yml index 0540111947..63ea385324 100644 --- a/rubies/ruby/CVE-2017-0898.yml +++ b/rubies/ruby/CVE-2017-0898.yml @@ -1,7 +1,8 @@ --- engine: ruby cve: 2017-0898 -url: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/ +url: https://nvd.nist.gov/vuln/detail/CVE-2017-0898 +ghsa: wvmx-3rv2-5jgf title: Buffer underrun vulnerability in Kernel.sprintf date: 2017-09-14 description: | @@ -13,7 +14,29 @@ description: | the Ruby interpreter may crash. All users running an affected release should upgrade immediately. + + Also impacted mruby - issue #3722 mentioned it was fixed in 1.3.0. +cvss_v2: 6.4 +cvss_v3: 9.1 patched_versions: - "~> 2.2.8" - "~> 2.3.5" - ">= 2.4.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2017-0898 + - https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898 + - https://github.com/mruby/mruby/issues/3722 + - https://hackerone.com/reports/212241 + - https://access.redhat.com/errata/RHSA-2017:3485 + - https://access.redhat.com/errata/RHSA-2018:0378 + - https://access.redhat.com/errata/RHSA-2018:0583 + - https://access.redhat.com/errata/RHSA-2018:0585 + - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html + - https://security.gentoo.org/glsa/201710-18 + - https://www.debian.org/security/2017/dsa-4031 + - https://ubuntu.com/security/notices/USN-3685-1 + - https://web.archive.org/web/20200227145420/https://www.securityfocus.com/bid/100862 + - https://github.com/advisories/GHSA-wvmx-3rv2-5jgf +notes: | + - Do I need to duplicate this advisory under "mruby" directory? From 94269750e6fe81c901798d458a9728d781c01cc0 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 1 Feb 2026 20:11:57 -0500 Subject: [PATCH 2/8] GHSA SYNC: 2 modified and 2 new advisories --- rubies/ruby/CVE-2006-1931.yml | 26 ++++++++++++++++++++++++ rubies/ruby/CVE-2009-5147.yml | 20 +++++++++++++++--- rubies/ruby/CVE-2015-7551.yml | 22 +++++++++++++++++--- rubies/ruby/CVE-2021-32066.yml | 37 ++++++++++++++++++++++++++++++++++ 4 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 rubies/ruby/CVE-2006-1931.yml create mode 100644 rubies/ruby/CVE-2021-32066.yml diff --git a/rubies/ruby/CVE-2006-1931.yml b/rubies/ruby/CVE-2006-1931.yml new file mode 100644 index 0000000000..de078c456a --- /dev/null +++ b/rubies/ruby/CVE-2006-1931.yml @@ -0,0 +1,26 @@ +--- +engine: ruby +cve: 2006-1931 +osvdb: 24972 +ghsa: j98g-25wq-62h9 +url: https://nvd.nist.gov/vuln/detail/CVE-2006-1931 +title: Ruby http/xmlrpc server DoS +date: 2006-04-20 +description: | + The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, + which allows attackers to cause a denial of service + (blocked connections) via a large amount of data. +cvss_v2: 5.0 +patched_versions: + - ">= 1.8.3" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2006-1931 + - https://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch + - https://security.gentoo.org/glsa/200605-11 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/26102 + - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540 + - https://web.archive.org/web/20201208004659/https://usn.ubuntu.com/273-1 + - https://web.archive.org/web/20070430022104/http://www.debian.org/security/2006/dsa-1157 + - https://web.archive.org/web/20061128124605/http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/27787 + - https://github.com/advisories/GHSA-j98g-25wq-62h9 diff --git a/rubies/ruby/CVE-2009-5147.yml b/rubies/ruby/CVE-2009-5147.yml index 39165e605f..7dc138e865 100644 --- a/rubies/ruby/CVE-2009-5147.yml +++ b/rubies/ruby/CVE-2009-5147.yml @@ -1,14 +1,28 @@ --- engine: ruby cve: 2009-5147 -url: https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/ -title: Ruby DL::dlopen could open a library with tainted library name even if $SAFE - > 0 +ghsa: mmq8-m72q-qgm4 +url: https://nvd.nist.gov/vuln/detail/CVE-2009-5147 +title: Ruby DL::dlopen could open a library with tainted library + name even if $SAFE > 0 date: 2009-05-12 description: | DL::dlopen could open a library with tainted library name even if $SAFE > 0 +cvss_v2: 7.5 +cvss_v3: 7.3 unaffected_versions: - "< 1.9.1" - ">= 1.9.2" patched_versions: - "~> 1.9.1.129" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-5147 + - https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released + - https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b + - https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e + - http://seclists.org/oss-sec/2015/q3/222 + - https://bugzilla.redhat.com/show_bug.cgi?id=1248935 + - https://access.redhat.com/errata/RHSA-2018:0583 + - https://github.com/advisories?query=GHSA-mmq8-m72q-qgm4 + - https://web.archive.org/web/20200227161903/https://www.securityfocus.com/bid/76060 diff --git a/rubies/ruby/CVE-2015-7551.yml b/rubies/ruby/CVE-2015-7551.yml index d0c53fcfbf..d5b8d02c46 100644 --- a/rubies/ruby/CVE-2015-7551.yml +++ b/rubies/ruby/CVE-2015-7551.yml @@ -1,7 +1,8 @@ --- engine: ruby cve: 2015-7551 -url: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ +ghsa: m9xr-x5mq-4fp5 +url: https://nvd.nist.gov/vuln/detail/CVE-2015-7551 title: Unsafe tainted string usage in Fiddle and DL date: 2015-12-16 description: | @@ -10,10 +11,25 @@ description: | was reimplemented using Fiddle and libffi. And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable. +cvss_v2: 4.6 +cvss_v3: 8.4 +unaffected_versions: + - "~> 1.9.1.129" patched_versions: - "~> 2.0.0.648" - "~> 2.1.8" - "~> 2.2.4" - ">= 2.3.0" -unaffected_versions: - - "~> 1.9.1.129" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-7551 + - https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551 + - https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a + - https://ubuntu.com/security/CVE-2015-7551 + - https://access.redhat.com/errata/RHSA-2018:0583 + - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344 + - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796551 + - https://www.oracle.com/security-alerts/bulletinapr2016.html + - https://web.archive.org/web/20161001113255/http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html + - https://web.archive.org/web/20181112082809/https://puppet.com/security/cve/ruby-dec-2015-security-fixes + - https://github.com/advisories/GHSA-m9xr-x5mq-4fp5 diff --git a/rubies/ruby/CVE-2021-32066.yml b/rubies/ruby/CVE-2021-32066.yml new file mode 100644 index 0000000000..5802cd102c --- /dev/null +++ b/rubies/ruby/CVE-2021-32066.yml @@ -0,0 +1,37 @@ +--- +engine: ruby +cve: 2021-32066 +ghsa: gx49-h5r3-q3xj +url: https://nvd.nist.gov/vuln/detail/CVE-2021-32066 +title: imap - StartTLS stripping attack +date: 2021-08-01 +description: | + An issue was discovered in Ruby through + 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. + Net::IMAP does not raise an exception when StartTLS fails with + an an unknown response, which might allow man-in-the-middle + attackers to bypass the TLS protections by leveraging a network + position between the client and the registry to block the + StartTLS command, aka a "StartTLS stripping attack." +cvss_v2: 5.8 +cvss_v3: 7.4 +patched_versions: + - "~> 2.6.8" + - "~> 2.7.4" + - ">= 3.0.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2021-32066 + - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released + - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released + - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released + - https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap + - https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a + - https://hackerone.com/reports/1178562 + - https://osv.dev/vulnerability/BIT-ruby-2021-32066?utm_source=copilot.com + - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html + - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html + - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://security.netapp.com/advisory/ntap-20210902-0004 + - https://security.gentoo.org/glsa/202401-27 + - https://github.com/advisories/GHSA-gx49-h5r3-q3xj From a438dc8e963424a6180c62aa7447fa7ff44acfb2 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sun, 1 Feb 2026 20:17:31 -0500 Subject: [PATCH 3/8] Removed trailing space on 1 line Removed trailing space on 1 line --- rubies/ruby/CVE-2006-1931.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2006-1931.yml b/rubies/ruby/CVE-2006-1931.yml index de078c456a..b4e47ae966 100644 --- a/rubies/ruby/CVE-2006-1931.yml +++ b/rubies/ruby/CVE-2006-1931.yml @@ -8,7 +8,7 @@ title: Ruby http/xmlrpc server DoS date: 2006-04-20 description: | The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, - which allows attackers to cause a denial of service + which allows attackers to cause a denial of service (blocked connections) via a large amount of data. cvss_v2: 5.0 patched_versions: From dce61593f3802b4ddf9a9fd7ece4f6b9aec0122f Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 3 Feb 2026 19:54:54 -0500 Subject: [PATCH 4/8] Fix advisory link format in CVE-2009-5147.yml --- rubies/ruby/CVE-2009-5147.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2009-5147.yml b/rubies/ruby/CVE-2009-5147.yml index 7dc138e865..4d781dc08a 100644 --- a/rubies/ruby/CVE-2009-5147.yml +++ b/rubies/ruby/CVE-2009-5147.yml @@ -24,5 +24,5 @@ related: - http://seclists.org/oss-sec/2015/q3/222 - https://bugzilla.redhat.com/show_bug.cgi?id=1248935 - https://access.redhat.com/errata/RHSA-2018:0583 - - https://github.com/advisories?query=GHSA-mmq8-m72q-qgm4 + - https://github.com/advisories/GHSA-mmq8-m72q-qgm4 - https://web.archive.org/web/20200227161903/https://www.securityfocus.com/bid/76060 From 4287b26aeb872c3c882d132edcd692be0e247c91 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 3 Feb 2026 19:59:07 -0500 Subject: [PATCH 5/8] Add 2,1,8 patched version for CVE-2009-5147 --- rubies/ruby/CVE-2009-5147.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rubies/ruby/CVE-2009-5147.yml b/rubies/ruby/CVE-2009-5147.yml index 4d781dc08a..9239ab4ca7 100644 --- a/rubies/ruby/CVE-2009-5147.yml +++ b/rubies/ruby/CVE-2009-5147.yml @@ -15,9 +15,11 @@ unaffected_versions: - ">= 1.9.2" patched_versions: - "~> 1.9.1.129" + - ">= >= 2.1.8" related: url: - https://nvd.nist.gov/vuln/detail/CVE-2009-5147 + - https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-1-8-released - https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released - https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b - https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e From ee6f6948b8f67ee4ec1e42430043a6714ae599f1 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 3 Feb 2026 20:04:29 -0500 Subject: [PATCH 6/8] Update CVE-2017-0898.yml to remove mruby references Removed references to mruby and related issues from the CVE advisory. --- rubies/ruby/CVE-2017-0898.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rubies/ruby/CVE-2017-0898.yml b/rubies/ruby/CVE-2017-0898.yml index 63ea385324..60bf3ea8f0 100644 --- a/rubies/ruby/CVE-2017-0898.yml +++ b/rubies/ruby/CVE-2017-0898.yml @@ -14,8 +14,6 @@ description: | the Ruby interpreter may crash. All users running an affected release should upgrade immediately. - - Also impacted mruby - issue #3722 mentioned it was fixed in 1.3.0. cvss_v2: 6.4 cvss_v3: 9.1 patched_versions: @@ -26,7 +24,6 @@ related: url: - https://nvd.nist.gov/vuln/detail/CVE-2017-0898 - https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898 - - https://github.com/mruby/mruby/issues/3722 - https://hackerone.com/reports/212241 - https://access.redhat.com/errata/RHSA-2017:3485 - https://access.redhat.com/errata/RHSA-2018:0378 @@ -38,5 +35,4 @@ related: - https://ubuntu.com/security/notices/USN-3685-1 - https://web.archive.org/web/20200227145420/https://www.securityfocus.com/bid/100862 - https://github.com/advisories/GHSA-wvmx-3rv2-5jgf -notes: | - - Do I need to duplicate this advisory under "mruby" directory? + From e14e4063a74ca9d81cb1328c392f7d71dceecd5e Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 3 Feb 2026 20:07:59 -0500 Subject: [PATCH 7/8] Remove empty line in CVE-2017-0898.yml --- rubies/ruby/CVE-2017-0898.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rubies/ruby/CVE-2017-0898.yml b/rubies/ruby/CVE-2017-0898.yml index 60bf3ea8f0..3b09a839ef 100644 --- a/rubies/ruby/CVE-2017-0898.yml +++ b/rubies/ruby/CVE-2017-0898.yml @@ -35,4 +35,3 @@ related: - https://ubuntu.com/security/notices/USN-3685-1 - https://web.archive.org/web/20200227145420/https://www.securityfocus.com/bid/100862 - https://github.com/advisories/GHSA-wvmx-3rv2-5jgf - From 617b0d195984a5f4c55f90b73b0b657b6c6458a0 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 3 Feb 2026 20:12:40 -0500 Subject: [PATCH 8/8] Fix formatting of patched_versions in CVE-2009-5147.yml --- rubies/ruby/CVE-2009-5147.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2009-5147.yml b/rubies/ruby/CVE-2009-5147.yml index 9239ab4ca7..e292916479 100644 --- a/rubies/ruby/CVE-2009-5147.yml +++ b/rubies/ruby/CVE-2009-5147.yml @@ -15,7 +15,7 @@ unaffected_versions: - ">= 1.9.2" patched_versions: - "~> 1.9.1.129" - - ">= >= 2.1.8" + - ">= 2.1.8" related: url: - https://nvd.nist.gov/vuln/detail/CVE-2009-5147