Skip to content

GHSA SYNC: 1 new advisory; 2 modified advisories#990

Merged
postmodern merged 3 commits intorubysec:masterfrom
jasnow:ghsa-syncbot-2026-02-08-10_28_16
Feb 12, 2026
Merged

GHSA SYNC: 1 new advisory; 2 modified advisories#990
postmodern merged 3 commits intorubysec:masterfrom
jasnow:ghsa-syncbot-2026-02-08-10_28_16

Conversation

@jasnow
Copy link
Contributor

@jasnow jasnow commented Feb 8, 2026

GHSA SYNC: 1 new advisory; 2 modified advisories

postmodern
postmodern requested changes Feb 8, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to indicate that a CVE is related to another CVE, related: cve: is already supported.

related:
  cve:
    - CVE-....
  url:
    - ...

postmodern
postmodern reviewed Feb 9, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should rubies/jruby/CVE-2011-4838.yml and rubies/ruby/CVE-2011-4815.yml also get related: cve: like the rubies/jruby/CVE-2019-16254.yml file? I am OK with merging this in it's current state.

@jasnow
Copy link
Contributor Author

jasnow commented Feb 12, 2026
edited
Loading

Should rubies/jruby/CVE-2011-4838.yml and rubies/ruby/CVE-2011-4815.yml also get related: cve: like the rubies/jruby/CVE-2019-16254.yml file? I am OK with merging this in it's current state.

My vote is keep them because it keeps the information separate.
I will be glad to move the URL:/CVE: line up to URL and notes: to description: field.

@postmodern postmodern merged commit c5823cf into rubysec:master Feb 12, 2026
1 check passed
@postmodern
Copy link
Member

postmodern commented Feb 12, 2026

Should rubies/jruby/CVE-2011-4838.yml and rubies/ruby/CVE-2011-4815.yml also get related: cve: like the rubies/jruby/CVE-2019-16254.yml file? I am OK with merging this in it's current state.

My vote is keep them because it keeps the information separate. I will be glad to move the URL:/CVE: line up to URL and notes: to description: field.

Agreed. Let us use related: cve: for when the same bundled gem in Ruby's stdlib has to be updated in both Ruby and JRuby due to a vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasnow @postmodern