GHSA SYNC: advisories (1 new; 2 modified)

rubies/ruby/CVE-2005-1992.yml

@@ -0,0 +1,27 @@
+---
+engine: ruby
+cve: 2005-1992
+ghsa: vf66-crpm-448h
+url: https://nvd.nist.gov/vuln/detail/CVE-2005-1992
+title: Ruby XML-RPC Remote Arbitrary Command Execution
+date: 2005-06-20
+description: |
+  The XMLRPC server in utils.rb for the ruby library (libruby) 1.8
+  sets an invalid default value that prevents "security protection"
+  using handlers, which allows remote attackers to execute
+  arbitrary commands.
+cvss_v2: 7.5
+patched_versions:
+  - ">= 1.8.2-r2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2005-1992
+    - https://www.ruby-lang.org/en/news/2005/07/01/xmlrpcipimethods-vulnerability
+    - https://web.archive.org/web/20081120011422/http://www2.ruby-lang.org/patches/ruby-1.8.2-xmlrpc-ipimethods-fix.diff
+    - https://web.archive.org/web/20080828084436/http://www2.ruby-lang.org/en/20050701.html
+    - https://web.archive.org/web/20060813155928/https://lists.apple.com/archives/security-announce/2005/Sep/msg00002.html
+    - https://web.archive.org/web/20120111083642/http://www.securityfocus.com/bid/14016
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064
+    - http://www.debian.org/security/2005/dsa-748
+    - http://www.kb.cert.org/vuls/id/684913
+    - http:/https://github.com/advisories/GHSA-vf66-crpm-448h

rubies/ruby/CVE-2007-5162.yml

@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2007-5162
+ghsa: 26pc-wx8w-v5vj
 url: https://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability/
 title: Ruby Net::HTTPS library does not validate server certificate CN
 date: 2007-09-27
@@ -14,3 +15,10 @@ cvss_v2: 4.3
 patched_versions:
   - "~> 1.8.5.114"
   - ">= 1.8.6.111"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2007-5162
+    - https://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability
+    - https://bugzilla.redhat.com/show_bug.cgi?id=313791
+    - http://www.ubuntu.com/usn/usn-596-1
+    - https://github.com/advisories/GHSA-26pc-wx8w-v5vj

rubies/ruby/CVE-2015-9096.yml

@@ -1,9 +1,12 @@
 ---
 engine: ruby
 cve: 2015-9096
+ghsa: 2h3c-5vqm-gqfh
 url: https://hackerone.com/reports/137631
 title: SMTP command injection
 date: 2015-12-09
+cvss_v2: 4.3
+cvss_v3: 6.1
 description: |
   Net::SMTP is vulnerable to SMTP command injection via CRLF sequences
   in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences
@@ -15,6 +18,23 @@ description: |
   The injection attack is described in Terada, Takeshi. "SMTP Injection via
   Recipient Email Addresses." 2015. The attacks described in the paper
   (Terada, p. 4) can be applied to without any modification.
+
+  ## RELEASE INFO
+  Backported to
+    - 2.2: PR#1648
+    - 2.3: PR#1647
 patched_versions:
-  - ">= 2.4.0"
   - "~> 2.3.5"
+  - ">= 2.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-9096
+    - https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee
+    - https://github.com/ruby/ruby/pull/1648
+    - https://github.com/ruby/ruby/pull/1647
+    - https://hackerone.com/reports/137631
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://www.debian.org/security/2017/dsa-3966
+    - http://www.mbsd.jp/Whitepaper/smtpi.pdf
+    - https://github.com/mikel/mail/pull/1097
+    - https://github.com/advisories/GHSA-2h3c-5vqm-gqfh