[pull] master from rubysec:master#105

Open

pull[bot] wants to merge 684 commits intosecurity-geeks:masterfrom

pull bot commented Apr 29, 2021 •

edited

Loading

See Commits and Changes for more details.

Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

pull bot added the ⤵️ pull label

jasnow and others added 29 commits

March 13, 2024 17:35


          GHSA SYNC: 1 brand new advisory

ff710b9


          GHSA SYNC: Modified 1 advisory (#764)


          update GHSA-xc9x-jj77-9p9j (#765)

5dd464e

* update to include nokogiri v1.15.6 information (just released)
* add Impact section
* update title to be more accurate and descriptive

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 1 brand new advisory (#766)

81353c4

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 1 brand new advisory (#767)

359a9f2

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 2 brand new advisories

35ca69b


          Removed duplicate/invalid GHSA advisory (issue #768).

e6ff41f


          Added CVE-2024-27280 for the stringio gem (issue #769).

040177d


          Consolidate patched_versions.

519298c

* 3.0.1.1 and 3.0.1.2 both belong to the 3.0.1 version family.


          Added CVE-2024-27281 for the rdoc gem (issue #769).

30c8010


          GHSA SYNC: Added ghsa: fields to 2 advisories

bfa1f3a


          GHSA SYNC: 1 new advisory

840f21a


          GHSA SYNC: 1 brand new advisory (#774)

9920c49

* Added `patched_versions` to `gems/katello/CVE-2012-3503.yml`.

  The vulnerability was patched in commit Katello/katello@1fd91b1, which was tagged by the `katello-1.0.6-1` and `katello-1.1.7-1` release tags. However, the first gem version of katello published to https://rubygems.org is 1.5.0. I suspect that prior to the katello-1.5.0 gem, katello was installed directly from git.

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          Add phlex/GHSA-g7xq-xv8c-h98c (#775)

0a22479

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          Add spacing after the markdown headers.

1365e5a


          Add additional GHSA URLs to related: url:.

e06a3a5


          Added the CVE ID to gems/phlex/GHSA-g7xq-xv8c-h98c.yml and renamed it.

b6d7ca2


          Added CVE-2024-27282.

764be08


          CVE-2024-0227 was withdrawn/REJECTED (closes #777).

2b58e06

* GHSA-chcr-x7hc-8fp8
* https://nvd.nist.gov/vuln/detail/CVE-2024-0227


          Added CVE-2024-32887 for sidekiq.

76a499f


          Remove unnecessary quoting and trailing whitespace from the title.

bc3e9f0


          Correct example reflected XSS exploit URL.

e97ec3f


          GHSA SYNC: 1 brand new advisory (#778)

82e741b

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: Added cvss_v3 field

7ef0ac6


          GHSA SYNC: 1 brand new advisory

33eda20


          GHSA SYNC: 1 brand new advisory

343e45a


          Add a link to libxml2's CVE-2024-34459 NVD entry.

f162724


          Added CVE-2024-35231 for rack-contrib.

a15b67c


          Added CVE-2024-32978 for kaminari.

0d91567

jasnow and others added 30 commits

January 30, 2026 23:22


          GHSA SYNC: advisories (1 brand new and 1 updated) (#972)

f57e0bc


          GHSA SYNC: advisories (1 new; 2 modified)

abf2ee5


          Deleted dead rubysec reference

c4bceda


          GHSA SYNC: 1 modified advisory (#977)

1f1b9c8


          GHSA SYNC: 4 related 2008 ruby modified advisories

1cb1c83


          GHSA SYNC: 2 brand new red hat advisories

6ffc700


          GHSA SYNC: 3 modified advisory; 3 new advisory (#978)

d67d653


          GHSA SYNC: 1 modified advisory; 1 new advisory - 2nd batch (#979)

f65bb8e

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 2 brand new decideim-related advisories

90e2384


          mruby version of CVE-2017-0898 (#984)

bb12156

* The NVD entry and HackerOne report mentions that CVE-2017-0898 also affects mruby.
  * https://nvd.nist.gov/vuln/detail/CVE-2017-0898
  * https://hackerone.com/reports/212241
  * mruby/mruby#3722


          Added CVE-2021-31810 for ruby and jruby (#985)

1649e44


          6 modified ruby advisories; 2 new jruby advisories (#986)

c547b76

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 2 brand new spree advisories (#987)

f118d91


          GHSA SYNC: 1 brand new advisory

db8a791


          Added CVE-2016-2336 for ruby (#980)

1886fa5


          GHSA SYNC: 2 brand new advisories (#991)

826ac19


          GHSA SYNC: 1 new advisory; 2 modified advisories (#990)

c5823cf


          GHSA SYNC: 2 new advisories; 3 modified advisories (#989)

9be358e


          GHSA SYNC: 1 brand new advisory (#970)

a888ef6


          Added the patched version of ~> 1.10.5 for CVE-2026-25765 (#992)

e8607af

* The fix for CVE-2026-25765 was backported to the 1.x version family. See:
  * lostisland/faraday@d0fc049beb
  * GHSA-33mh-2634-fwr2

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 1 new advisory; 4 modified advisories

1ede1c0


          GHSA SYNC: 5 modified advisories (#995)

627ae63


          GHSA SYNC: 6 modified advisories

a99cf12


          Removed RELEASE NOTES from description:.

68d64cc

* Any reviewer comments should go under `notes:`.


          GHSA SYNC: 4 enhanced ruby advisories and 2 new ruby advisories (#997)

ceb1564

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>


          GHSA SYNC: 1 brand new advisory

7b73c6b


          Added CVE-2026-22860 and CVE-2026-25500 for rack (#1000)

23d78a1


          GHSA SYNC: Added cvss_v3 field/value to 1 advisory

ff594be


          GHSA SYNC: 1 brand new advisory (#1006)

8545da5


          Added CVE-2026-27820 for the zlib gem (#1010)

5a41723

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels