Inappropriate version range for CVE-2012-3424

[nsslh]

The unaffected_versions for CVE-2012-3424 disagrees with the advisory text, which says:

Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7

But we have:

unaffected_versions:
- '>= 2.3.5, <= 2.3.14'

That value is the result of a confusing series of commits. I suspect that the intent was for it to read:

unaffected_versions:
- '>= 2.0, <= 2.3.15'

But the Rails 2 line enjoyed three subsequent releases that are not covered by this range.

I think the unaffected_versions spec should be < 3.0. This would match the text, and as a happy coincidence would include all future RailsLTS 2 releases.

[postmodern]

If you look at the original advisory announcement, it mentions Not affected: 2.3.5 - 2.3.14, so I think the unaffected_versions range is correct.
https://groups.google.com/g/rubyonrails-security/c/vxJjrc15qYM/m/fRQl-vIyTSQJ?hl=en

[nsslh]

@postmodern The unaffected_versions range is correct per the original advsiory, but only because, at the time of the original advisory, 2.3.14 was the latest release on the 2.3 line. Then, almost 6 months later, in January of 2013, 2.3.15 was released.

The original announcement wasn't updated. That makes sense. It's a mailing list post. Rather look at NIST: https://nvd.nist.gov/vuln/detail/CVE-2012-3424 (last updated 2019).

P.S. Love your work on chruby, thank you!