Merge branch 'urgent_fix' into development

thesp0nge · Nov 23, 2016 · a4142b3 · a4142b3
2 parents 312eb11 + 4ca41a1
commit a4142b3
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 10 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -5,7 +5,19 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Sun Oct  2 22:34:43 CEST 2016_
+_latest update: Tue Nov  1 22:47:56 CET 2016_
+
+## Version 1.6.7 - codename: Tow Mater (2016-11-24)
+
+* Removed a typo preventing CVE bulletins to be loaded in the KB
+* Removed CVSS as external dependency. Now it is a Dawn::Cvss module
+* Dropped sys-uname dependency. Using shell 'uname -r' instead
+* Dropped ptools dependency. Pattern matching will run also with binary files.
+* Applied pull request #217 - Add bundler as runtime dependency - by @kolybasov
+* Applied pull request #216 - Add TraviCI setup to README - by @vpolimenov
+* Applied pull request #215 - Fixes issue where debug mode was always enabled by @bartj3
+
+## Version 1.6.6 - codename: Tow Mater (2016-11-01)
 
 * Changed config filename to dawnscanner.yml
 * Adding a check for CVE-2016-5697: XML signature wrapping attack in ruby-saml

diff --git a/KnowledgeBase.md b/KnowledgeBase.md
@@ -1,6 +1,6 @@
 # Dawnscanner Knowledge base
 
-The knowledge base library for dawnscanner version 1.6.g56c1269 contains 235 security checks.
+The knowledge base library for dawnscanner version 1.6.g312eb11 contains 235 security checks.
 ---
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
@@ -505,4 +505,4 @@ Setting this to true will essentially strip out any host information.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
 
 
-_Last updated: Tue 01 Nov 18:56:49 CET 2016_
+_Last updated: Wed 23 Nov 22:51:52 CET 2016_
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ box:
 
 ---
 
-dawnscanner version 1.6.4 has 229 security checks loaded in its knowledge
+dawnscanner version 1.6.6 has 235 security checks loaded in its knowledge
 base. Most of them are CVE bulletins applying to gems or the ruby interpreter
 itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
 

diff --git a/bin/dawn b/bin/dawn
@@ -92,7 +92,7 @@ opts.each do |opt, val|
   when '--config-file'
     options = Dawn::Core.read_conf(val)
   when '--disable-cve-bulletins'
-    options[:enabled_checks].delete(:cve_bulletin)
+    options[:enabled_checks].delete(:bulletin)
   when '--disable-code-quality'
     options[:enabled_checks].delete(:code_quality)
   when '--disable-code-style'

diff --git a/checksum/dawnscanner-1.6.6.gem.sha1 b/checksum/dawnscanner-1.6.6.gem.sha1
@@ -0,0 +1 @@
+09eaf5fb8a787aaa2f1b57ef0792f0a36571aec6
diff --git a/lib/dawn/kb/basic_check.rb b/lib/dawn/kb/basic_check.rb
@@ -49,7 +49,7 @@ module BasicCheck
       # This is a flag for the security check family. Valid values are:
       #   + generic_check
       #   + code_quality
-      #   + cve_bulletin
+      #   + bulletin
       #   + code_style
       #   + owasp_ror_cheatsheet
       #   + owasp_top_10_n (where n is a number between 1 and 10)

diff --git a/lib/dawn/kb/cve_2015_7577.rb b/lib/dawn/kb/cve_2015_7577.rb
@@ -24,7 +24,7 @@ def initialize
            })
           self.save_minor=true
           self.save_major=true
-          self.debug = true
+          # self.debug = true
           self.safe_dependencies = [{:name=>"activerecord", :version=>['3.1.9999','3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
           self.not_affected = {:name=>"actionpack", :version=>['3.0.x']}
 

diff --git a/lib/dawn/version.rb b/lib/dawn/version.rb
@@ -1,7 +1,7 @@
 module Dawn
-    VERSION = "1.6.g71b430e"
+    VERSION = "1.6.g312eb11"
     CODENAME = "Tow Mater"
     RELEASE = "(development)"
-    BUILD = "26"
-    COMMIT = "g71b430e"
+    BUILD = "38"
+    COMMIT = "g312eb11"
 end