-
-
Notifications
You must be signed in to change notification settings - Fork 227
GHSA SYNC: 3 modified advisory; 3 new advisory #978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
postmodern
merged 8 commits into
rubysec:master
from
jasnow:ghsa-syncbot-2026-02-01-16_33_29
Feb 7, 2026
+148
−7
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
f8ab84e
GHSA SYNC: 1 modified advisory; 1 new advisory
jasnow 9426975
GHSA SYNC: 2 modified and 2 new advisories
jasnow a438dc8
Removed trailing space on 1 line
jasnow dce6159
Fix advisory link format in CVE-2009-5147.yml
jasnow 4287b26
Add 2,1,8 patched version for CVE-2009-5147
jasnow ee6f694
Update CVE-2017-0898.yml to remove mruby references
jasnow e14e406
Remove empty line in CVE-2017-0898.yml
jasnow 617b0d1
Fix formatting of patched_versions in CVE-2009-5147.yml
jasnow File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| engine: mruby | ||
| cve: 2020-36401 | ||
| ghsa: qq64-7fh7-7hmw | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2020-36401 | ||
| title: double free vulnerabliity | ||
| date: 2021-06-30 | ||
| description: | | ||
| mruby 2.1.2 has a double free in mrb_default_allocf (called | ||
| from mrb_free and obj_free). | ||
|
|
||
| # RELEASE NOTES | ||
|
|
||
| Cloned "mruby" repo, ran "git fetch --all --tags", then | ||
| "git tag --contains 97319697c8f9f6ff27b32589947e1918e3015503" | ||
| and got "3.0.0-preview, 3.0.0-rc, 3.0.0, ... 3.4.0-rc2". | ||
| cvss_v2: 6.8 | ||
| cvss_v3: 7.8 | ||
| patched_versions: | ||
| - ">= 3.0.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-36401 | ||
| - https://mruby.org/releases/2021/03/05/mruby-3.0.0-released.html | ||
| - https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 | ||
| - https://issues.oss-fuzz.com/issues/42485317 | ||
| - https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml | ||
| - https://github.com/advisories/GHSA-qq64-7fh7-7hmw |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| engine: ruby | ||
| cve: 2006-1931 | ||
| osvdb: 24972 | ||
| ghsa: j98g-25wq-62h9 | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2006-1931 | ||
| title: Ruby http/xmlrpc server DoS | ||
| date: 2006-04-20 | ||
| description: | | ||
| The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, | ||
| which allows attackers to cause a denial of service | ||
| (blocked connections) via a large amount of data. | ||
| cvss_v2: 5.0 | ||
| patched_versions: | ||
| - ">= 1.8.3" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2006-1931 | ||
| - https://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch | ||
| - https://security.gentoo.org/glsa/200605-11 | ||
| - https://exchange.xforce.ibmcloud.com/vulnerabilities/26102 | ||
| - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540 | ||
| - https://web.archive.org/web/20201208004659/https://usn.ubuntu.com/273-1 | ||
| - https://web.archive.org/web/20070430022104/http://www.debian.org/security/2006/dsa-1157 | ||
| - https://web.archive.org/web/20061128124605/http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/27787 | ||
| - https://github.com/advisories/GHSA-j98g-25wq-62h9 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,30 @@ | ||
| --- | ||
| engine: ruby | ||
| cve: 2009-5147 | ||
| url: https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released/ | ||
| title: Ruby DL::dlopen could open a library with tainted library name even if $SAFE | ||
| > 0 | ||
| ghsa: mmq8-m72q-qgm4 | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2009-5147 | ||
| title: Ruby DL::dlopen could open a library with tainted library | ||
| name even if $SAFE > 0 | ||
| date: 2009-05-12 | ||
| description: | | ||
| DL::dlopen could open a library with tainted library name even if $SAFE > 0 | ||
| cvss_v2: 7.5 | ||
| cvss_v3: 7.3 | ||
| unaffected_versions: | ||
| - "< 1.9.1" | ||
| - ">= 1.9.2" | ||
| patched_versions: | ||
| - "~> 1.9.1.129" | ||
| - ">= 2.1.8" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2009-5147 | ||
| - https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-1-8-released | ||
| - https://www.ruby-lang.org/en/news/2009/05/12/ruby-1-9-1-p129-released | ||
| - https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b | ||
| - https://github.com/ruby/ruby/commit/7269e3de3cee3bbb6ab77fc708f3a10cab00b65e | ||
| - http://seclists.org/oss-sec/2015/q3/222 | ||
| - https://bugzilla.redhat.com/show_bug.cgi?id=1248935 | ||
| - https://access.redhat.com/errata/RHSA-2018:0583 | ||
| - https://github.com/advisories/GHSA-mmq8-m72q-qgm4 | ||
| - https://web.archive.org/web/20200227161903/https://www.securityfocus.com/bid/76060 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| engine: ruby | ||
| cve: 2021-32066 | ||
| ghsa: gx49-h5r3-q3xj | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2021-32066 | ||
| title: imap - StartTLS stripping attack | ||
| date: 2021-08-01 | ||
| description: | | ||
| An issue was discovered in Ruby through | ||
| 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. | ||
| Net::IMAP does not raise an exception when StartTLS fails with | ||
| an an unknown response, which might allow man-in-the-middle | ||
| attackers to bypass the TLS protections by leveraging a network | ||
| position between the client and the registry to block the | ||
| StartTLS command, aka a "StartTLS stripping attack." | ||
| cvss_v2: 5.8 | ||
| cvss_v3: 7.4 | ||
| patched_versions: | ||
| - "~> 2.6.8" | ||
| - "~> 2.7.4" | ||
| - ">= 3.0.2" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2021-32066 | ||
| - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released | ||
| - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released | ||
| - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released | ||
| - https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap | ||
| - https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a | ||
| - https://hackerone.com/reports/1178562 | ||
| - https://osv.dev/vulnerability/BIT-ruby-2021-32066?utm_source=copilot.com | ||
| - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html | ||
| - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html | ||
| - https://www.oracle.com/security-alerts/cpuapr2022.html | ||
| - https://security.netapp.com/advisory/ntap-20210902-0004 | ||
| - https://security.gentoo.org/glsa/202401-27 | ||
| - https://github.com/advisories/GHSA-gx49-h5r3-q3xj |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.