From 3d95538de06af7506649be286e19a5ea6b22d8bf Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Thu, 5 Feb 2026 14:33:55 -0500
Subject: [PATCH 1/2] 6 modified advisories; 2 new advisories

---
 rubies/jruby/CVE-2017-17742.yml | 23 +++++++++++++++++++++++
 rubies/jruby/CVE-2018-8778.yml  | 29 +++++++++++++++++++++++++++++
 rubies/ruby/CVE-2017-17742.yml  | 23 +++++++++++++++++++++++
 rubies/ruby/CVE-2018-16396.yml  | 22 ++++++++++++++++++++++
 rubies/ruby/CVE-2018-6914.yml   | 23 +++++++++++++++++++++++
 rubies/ruby/CVE-2018-8777.yml   | 26 ++++++++++++++++++++++++++
 rubies/ruby/CVE-2018-8778.yml   | 23 +++++++++++++++++++++++
 rubies/ruby/CVE-2018-8779.yml   | 22 ++++++++++++++++++++++
 8 files changed, 191 insertions(+)
 create mode 100644 rubies/jruby/CVE-2017-17742.yml
 create mode 100644 rubies/jruby/CVE-2018-8778.yml

diff --git a/rubies/jruby/CVE-2017-17742.yml b/rubies/jruby/CVE-2017-17742.yml
new file mode 100644
index 0000000000..f9adefc86b
--- /dev/null
+++ b/rubies/jruby/CVE-2017-17742.yml
@@ -0,0 +1,23 @@
+---
+engine: jruby
+cve: 2017-17742
+ghsa: 7p4c-jf2w-hc3w
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+title: HTTP response splitting attack in WEBrick
+date: 2018-04-03
+description: |
+  Allows an HTTP Response Splitting attack. An attacker can
+  inject a crafted key and value into an HTTP response for
+  the HTTP server of WEBrick.
+cvss_v2: 5.0
+cvss_v3: 5.3
+patched_versions:
+  - ">= 9-2-12-0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+    - https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://github.com/advisories/GHSA-7p4c-jf2w-hc3w
diff --git a/rubies/jruby/CVE-2018-8778.yml b/rubies/jruby/CVE-2018-8778.yml
new file mode 100644
index 0000000000..e9c6f848d9
--- /dev/null
+++ b/rubies/jruby/CVE-2018-8778.yml
@@ -0,0 +1,29 @@
+---
+engine: jruby
+cve: 2018-8778
+ghsa: wvhq-ch4h-8pwr
+url: https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+title: Buffer under-read in String#unpack
+date: 2018-04-03
+description: |
+  An attacker controlling the unpacking format (similar to format
+  string vulnerabilities) can trigger a buffer under-read in the
+  String#unpack method, resulting in a massive and controlled
+  information disclosure.
+
+  `String#unpack` receives format specifiers as its parameter, and can be
+  specified the position of parsing the data by the specifier `@`. If a big
+  number is passed with `@`, the number is treated as the negative value, and
+  out-of-buffer read is occurred. So, if a script accepts an external input as
+  the argument of `String#unpack`, the attacker can read data on heaps.
+
+  All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 9.2.12.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+    - https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
+    - https://github.com/advisories/GHSA-wvhq-ch4h-8pwr
diff --git a/rubies/ruby/CVE-2017-17742.yml b/rubies/ruby/CVE-2017-17742.yml
index 77be50bd70..90a701b65e 100644
--- a/rubies/ruby/CVE-2017-17742.yml
+++ b/rubies/ruby/CVE-2017-17742.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2017-17742
+ghsa: 7p4c-jf2w-hc3w
 url: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
 title: HTTP response splitting in WEBrick
 date: 2018-03-28
@@ -14,9 +15,31 @@ description: |
   to the clients.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 5.3
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-17742
+    - https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://ubuntu.com/security/notices/USN-3685-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-7p4c-jf2w-hc3w
diff --git a/rubies/ruby/CVE-2018-16396.yml b/rubies/ruby/CVE-2018-16396.yml
index 631cfe2cb8..1a9973c29b 100644
--- a/rubies/ruby/CVE-2018-16396.yml
+++ b/rubies/ruby/CVE-2018-16396.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-16396
+ghsa: xh4x-ph6p-vmxh
 url: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
 title: Tainted flags not always propogated in Array#pack and String#unpack
 date: 2018-10-17
@@ -19,8 +20,29 @@ description: |
   wrong.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 6.0
+cvss_v3: 8.1
 patched_versions:
   - "~> 2.3.8"
   - "~> 2.4.5"
   - "~> 2.5.2"
   - ">= 2.6.0-preview3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-16396
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
+    - https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396
+    - https://hackerone.com/reports/385070
+    - https://ubuntu.com/security/notices/USN-3808-1
+    - https://www.debian.org/security/2018/dsa-4332
+    - https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://security.netapp.com/advisory/ntap-20190221-0002/
+    - https://github.com/advisories/GHSA-xh4x-ph6p-vmxh
diff --git a/rubies/ruby/CVE-2018-6914.yml b/rubies/ruby/CVE-2018-6914.yml
index 8f79aaffb6..690fb861d4 100644
--- a/rubies/ruby/CVE-2018-6914.yml
+++ b/rubies/ruby/CVE-2018-6914.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-6914
+ghsa: wpg3-wgm5-rv8w
 url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
 title: Unintentional file and directory creation with directory traversal in tempfile
   and tmpdir
@@ -20,9 +21,31 @@ description: |
   any directory.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-6914
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/
+    - https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-wpg3-wgm5-rv8w
diff --git a/rubies/ruby/CVE-2018-8777.yml b/rubies/ruby/CVE-2018-8777.yml
index 441a87d46c..43a8673e65 100644
--- a/rubies/ruby/CVE-2018-8777.yml
+++ b/rubies/ruby/CVE-2018-8777.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-8777
+ghsa: 9j6f-82h4-9mw2
 url: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
 title: DoS by large request in WEBrick
 date: 2018-03-28
@@ -13,9 +14,34 @@ description: |
   DoS attack.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8777
+    - https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://usn.ubuntu.com/3685-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - https://access.redhat.com/errata/RHSA-2020:0542
+    - https://access.redhat.com/errata/RHSA-2020:0591
+    - https://access.redhat.com/errata/RHSA-2020:0663
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-9j6f-82h4-9mw2
diff --git a/rubies/ruby/CVE-2018-8778.yml b/rubies/ruby/CVE-2018-8778.yml
index 056054fe9e..510be78967 100644
--- a/rubies/ruby/CVE-2018-8778.yml
+++ b/rubies/ruby/CVE-2018-8778.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2018-8778
+ghsa: wvhq-ch4h-8pwr
 url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
 title: Buffer under-read in String#unpack
 date: 2018-03-28
@@ -12,9 +13,31 @@ description: |
   the argument of `String#unpack`, the attacker can read data on heaps.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8778
+    - https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-wvhq-ch4h-8pwr
diff --git a/rubies/ruby/CVE-2018-8779.yml b/rubies/ruby/CVE-2018-8779.yml
index 1d1504d611..c092fc7ebe 100644
--- a/rubies/ruby/CVE-2018-8779.yml
+++ b/rubies/ruby/CVE-2018-8779.yml
@@ -20,9 +20,31 @@ description: |
   path.
 
   All users running an affected release should upgrade immediately.
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.2.10"
   - "~> 2.3.7"
   - "~> 2.4.4"
   - "~> 2.5.1"
   - "> 2.6.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-8779
+    - https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
+    - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
+    - https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
+    - https://ubuntu.com/security/notices/USN-3626-1
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+    - https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2018/dsa-4259
+    - https://access.redhat.com/errata/RHSA-2018:3729
+    - https://access.redhat.com/errata/RHSA-2018:3730
+    - https://access.redhat.com/errata/RHSA-2018:3731
+    - https://access.redhat.com/errata/RHSA-2019:2028
+    - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+    - https://github.com/advisories/GHSA-mwq4-948j-88c5

From dbf6a4060ca9581de3380a39291efd8c026f765e Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sat, 7 Feb 2026 16:15:31 -0800
Subject: [PATCH 2/2] Fixed patched version number in
 `rubies/jruby/CVE-2017-17742.yml`

---
 rubies/jruby/CVE-2017-17742.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rubies/jruby/CVE-2017-17742.yml b/rubies/jruby/CVE-2017-17742.yml
index f9adefc86b..691fcc56a0 100644
--- a/rubies/jruby/CVE-2017-17742.yml
+++ b/rubies/jruby/CVE-2017-17742.yml
@@ -12,7 +12,7 @@ description: |
 cvss_v2: 5.0
 cvss_v3: 5.3
 patched_versions:
-  - ">= 9-2-12-0"
+  - ">= 9.2.12.0"
 related:
   url:
     - https://nvd.nist.gov/vuln/detail/CVE-2017-17742