Skip to content

6 modified ruby advisories; 2 new jruby advisories #986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
postmodern merged 2 commits into from
Feb 8, 2026
+191 −0
Merged

6 modified ruby advisories; 2 new jruby advisories #986

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3d95538
6 modified advisories; 2 new advisories
jasnow Feb 5, 2026
dbf6a40
Fixed patched version number in `rubies/jruby/CVE-2017-17742.yml`
postmodern Feb 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions rubies/jruby/CVE-2017-17742.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
engine: jruby
cve: 2017-17742
ghsa: 7p4c-jf2w-hc3w
url: https://nvd.nist.gov/vuln/detail/CVE-2017-17742
title: HTTP response splitting attack in WEBrick
date: 2018-04-03
description: |
Allows an HTTP Response Splitting attack. An attacker can
inject a crafted key and value into an HTTP response for
the HTTP server of WEBrick.
cvss_v2: 5.0
cvss_v3: 5.3
patched_versions:
- ">= 9.2.12.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2017-17742
- https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://github.com/advisories/GHSA-7p4c-jf2w-hc3w
29 changes: 29 additions & 0 deletions rubies/jruby/CVE-2018-8778.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
engine: jruby
cve: 2018-8778
ghsa: wvhq-ch4h-8pwr
url: https://nvd.nist.gov/vuln/detail/CVE-2018-8778
title: Buffer under-read in String#unpack
date: 2018-04-03
description: |
An attacker controlling the unpacking format (similar to format
string vulnerabilities) can trigger a buffer under-read in the
String#unpack method, resulting in a massive and controlled
information disclosure.

`String#unpack` receives format specifiers as its parameter, and can be
specified the position of parsing the data by the specifier `@`. If a big
number is passed with `@`, the number is treated as the negative value, and
out-of-buffer read is occurred. So, if a script accepts an external input as
the argument of `String#unpack`, the attacker can read data on heaps.

All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 7.5
patched_versions:
- ">= 9.2.12.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-8778
- https://www.jruby.org/2020/07/01/jruby-9-2-12-0.html
- https://github.com/advisories/GHSA-wvhq-ch4h-8pwr
23 changes: 23 additions & 0 deletions rubies/ruby/CVE-2017-17742.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
engine: ruby
cve: 2017-17742
ghsa: 7p4c-jf2w-hc3w
url: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
title: HTTP response splitting in WEBrick
date: 2018-03-28
Expand All @@ -14,9 +15,31 @@ description: |
to the clients.

All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 5.3
patched_versions:
- "~> 2.2.10"
- "~> 2.3.7"
- "~> 2.4.4"
- "~> 2.5.1"
- "> 2.6.0-preview1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2017-17742
- https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
- https://ubuntu.com/security/notices/USN-3685-1
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/advisories/GHSA-7p4c-jf2w-hc3w
22 changes: 22 additions & 0 deletions rubies/ruby/CVE-2018-16396.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
engine: ruby
cve: 2018-16396
ghsa: xh4x-ph6p-vmxh
url: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
title: Tainted flags not always propogated in Array#pack and String#unpack
date: 2018-10-17
Expand All @@ -19,8 +20,29 @@ description: |
wrong.

All users running an affected release should upgrade immediately.
cvss_v2: 6.0
cvss_v3: 8.1
patched_versions:
- "~> 2.3.8"
- "~> 2.4.5"
- "~> 2.5.2"
- ">= 2.6.0-preview3"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16396
- https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released
- https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released
- https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released
- https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
- https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396
- https://hackerone.com/reports/385070
- https://ubuntu.com/security/notices/USN-3808-1
- https://www.debian.org/security/2018/dsa-4332
- https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://security.netapp.com/advisory/ntap-20190221-0002/
- https://github.com/advisories/GHSA-xh4x-ph6p-vmxh
23 changes: 23 additions & 0 deletions rubies/ruby/CVE-2018-6914.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
engine: ruby
cve: 2018-6914
ghsa: wpg3-wgm5-rv8w
url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
title: Unintentional file and directory creation with directory traversal in tempfile
and tmpdir
Expand All @@ -20,9 +21,31 @@ description: |
any directory.

All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 7.5
patched_versions:
- "~> 2.2.10"
- "~> 2.3.7"
- "~> 2.4.4"
- "~> 2.5.1"
- "> 2.6.0-preview1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-6914
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/
- https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914
- https://ubuntu.com/security/notices/USN-3626-1
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/advisories/GHSA-wpg3-wgm5-rv8w
26 changes: 26 additions & 0 deletions rubies/ruby/CVE-2018-8777.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
engine: ruby
cve: 2018-8777
ghsa: 9j6f-82h4-9mw2
url: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
title: DoS by large request in WEBrick
date: 2018-03-28
Expand All @@ -13,9 +14,34 @@ description: |
DoS attack.

All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 7.5
patched_versions:
- "~> 2.2.10"
- "~> 2.3.7"
- "~> 2.4.4"
- "~> 2.5.1"
- "> 2.6.0-preview1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-8777
- https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
- https://usn.ubuntu.com/3685-1
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0663
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/advisories/GHSA-9j6f-82h4-9mw2
23 changes: 23 additions & 0 deletions rubies/ruby/CVE-2018-8778.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
engine: ruby
cve: 2018-8778
ghsa: wvhq-ch4h-8pwr
url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
title: Buffer under-read in String#unpack
date: 2018-03-28
Expand All @@ -12,9 +13,31 @@ description: |
the argument of `String#unpack`, the attacker can read data on heaps.

All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 7.5
patched_versions:
- "~> 2.2.10"
- "~> 2.3.7"
- "~> 2.4.4"
- "~> 2.5.1"
- "> 2.6.0-preview1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-8778
- https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released
- https://ubuntu.com/security/notices/USN-3626-1
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/advisories/GHSA-wvhq-ch4h-8pwr
22 changes: 22 additions & 0 deletions rubies/ruby/CVE-2018-8779.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,31 @@ description: |
path.
All users running an affected release should upgrade immediately.
cvss_v2: 5.0
cvss_v3: 7.5
patched_versions:
- "~> 2.2.10"
- "~> 2.3.7"
- "~> 2.4.4"
- "~> 2.5.1"
- "> 2.6.0-preview1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2018-8779
- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- https://www.ruby-lang.org/en/news/2018/05/31/ruby-2-6-0-preview2-released
- https://ubuntu.com/security/notices/USN-3626-1
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/advisories/GHSA-mwq4-948j-88c5