Update database (#43)

maxjacobson · web-flow · commit c3f65e5ea9ef · 2017-02-24T14:38:34.000-05:00
Pulls in: rubysec/ruby-advisory-db@599408b...6b88736 I may have done something kind of gnarly to make this have a clean diff ``` issues = analyze_directory(directory).map { |h| f= Hash[h.sort] f["location"] = Hash[f["location"].sort] f } File.open("./tmp", "w") { |f| f.puts JSON.pretty_generate(issues, indent: " ") } ```
diff --git a/DATABASE_VERSION b/DATABASE_VERSION
@@ -1 +1 @@
-Wed Feb  8 16:07:01 EST 2017
+Fri Feb 24 11:39:21 EST 2017
diff --git a/spec/fixtures/unpatched_versions/issues.json b/spec/fixtures/unpatched_versions/issues.json
@@ -5,10 +5,10 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2015-7581\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE\n\n**Solution**: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
+            "body": "**Advisory**: CVE-2016-0751\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc\n\n**Solution**: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
         },
-        "description": "Object leak vulnerability for wildcard controller routes in Action Pack",
-        "fingerprint": "06ae795b91e09069846af543d755b9e1",
+        "description": "Possible Object Leak and Denial of Service attack in Action Pack",
+        "fingerprint": "fb0889d061f06c4203ed27b43aca68b2",
         "location": {
             "lines": {
                 "begin": 18,
@@ -26,10 +26,10 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2015-7576\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k\n\n**Solution**: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
+            "body": "**Advisory**: CVE-2016-2098\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q\n\n**Solution**: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14"
         },
-        "description": "Timing attack vulnerability in basic authentication in Action Controller.",
-        "fingerprint": "98b8ca0112bff7bf79c1a85a829cf948",
+        "description": "Possible remote code execution vulnerability in Action Pack",
+        "fingerprint": "464176078b0d3514fdf527afe2f93315",
         "location": {
             "lines": {
                 "begin": 18,
@@ -47,10 +47,10 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2016-2098\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q\n\n**Solution**: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14"
+            "body": "**Advisory**: CVE-2015-7576\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k\n\n**Solution**: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
         },
-        "description": "Possible remote code execution vulnerability in Action Pack",
-        "fingerprint": "464176078b0d3514fdf527afe2f93315",
+        "description": "Timing attack vulnerability in basic authentication in Action Controller.",
+        "fingerprint": "98b8ca0112bff7bf79c1a85a829cf948",
         "location": {
             "lines": {
                 "begin": 18,
@@ -68,10 +68,10 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2016-0751\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc\n\n**Solution**: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
+            "body": "**Advisory**: CVE-2015-7581\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE\n\n**Solution**: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
         },
-        "description": "Possible Object Leak and Denial of Service attack in Action Pack",
-        "fingerprint": "fb0889d061f06c4203ed27b43aca68b2",
+        "description": "Object leak vulnerability for wildcard controller routes in Action Pack",
+        "fingerprint": "06ae795b91e09069846af543d755b9e1",
         "location": {
             "lines": {
                 "begin": 18,
@@ -89,7 +89,28 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2016-0752\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00\n\n**Solution**: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
+            "body": "**Advisory**: CVE-2016-6316\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk\n\n**Solution**: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1"
+        },
+        "description": "Possible XSS Vulnerability in Action View",
+        "fingerprint": "f49fdfa41c42d6b18c17913156307c51",
+        "location": {
+            "lines": {
+                "begin": 25,
+                "end": 25
+            },
+            "path": "Gemfile.lock"
+        },
+        "remediation_points": 500000,
+        "severity": "normal",
+        "type": "Issue"
+    },
+    {
+        "categories": [
+            "Security"
+        ],
+        "check_name": "Insecure Dependency",
+        "content": {
+            "body": "**Advisory**: CVE-2016-0752\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00\n\n**Solution**: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
         },
         "description": "Possible Information Leak Vulnerability in Action View",
         "fingerprint": "f26c202060c497fd32f90c538c543445",
@@ -110,7 +131,7 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2016-0753\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ\n\n**Solution**: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
+            "body": "**Advisory**: CVE-2016-0753\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ\n\n**Solution**: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14"
         },
         "description": "Possible Input Validation Circumvention in Active Model",
         "fingerprint": "723fd12f6da25240ffbf2f3312b8e33d",
@@ -131,7 +152,7 @@
         ],
         "check_name": "Insecure Dependency",
         "content": {
-            "body": "**Advisory**: CVE-2015-7577\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g\n\n**Solution**: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
+            "body": "**Advisory**: CVE-2015-7577\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g\n\n**Solution**: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1"
         },
         "description": "Nested attributes rejection proc bypass in Active Record",
         "fingerprint": "2441a69a4af613e9235af4024ff21b30",
@@ -146,6 +167,27 @@
         "severity": "normal",
         "type": "Issue"
     },
+    {
+        "categories": [
+            "Security"
+        ],
+        "check_name": "Insecure Dependency",
+        "content": {
+            "body": "**Advisory**: CVE-2016-6317\n\n**URL**: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s\n\n**Solution**: upgrade to >= 4.2.7.1"
+        },
+        "description": "Unsafe Query Generation Risk in Active Record",
+        "fingerprint": "1e32b91522fc8bdf4def84929a11d4b6",
+        "location": {
+            "lines": {
+                "begin": 37,
+                "end": 37
+            },
+            "path": "Gemfile.lock"
+        },
+        "remediation_points": 500000,
+        "severity": "normal",
+        "type": "Issue"
+    },
     {
         "categories": [
             "Security"
@@ -188,6 +230,27 @@
         "severity": "normal",
         "type": "Issue"
     },
+    {
+        "categories": [
+            "Security"
+        ],
+        "check_name": "Insecure Dependency",
+        "content": {
+            "body": "**Advisory**: CVE-2015-8806\n\n**URL**: https://github.com/sparklemotion/nokogiri/issues/1473\n\n**Solution**: upgrade to >= 1.6.8"
+        },
+        "description": "Denial of service or RCE from libxml2 and libxslt",
+        "fingerprint": "2675b3a139ad320ff6843f7dc5b9937e",
+        "location": {
+            "lines": {
+                "begin": 74,
+                "end": 74
+            },
+            "path": "Gemfile.lock"
+        },
+        "remediation_points": 500000,
+        "severity": "normal",
+        "type": "Issue"
+    },
     {
         "categories": [
             "Security"

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Wed Feb 8 16:07:01 EST 2017`
	`1`	`+Fri Feb 24 11:39:21 EST 2017`