From ea4c6301fe68c0e6db3fe97576b8e311db09ca6e Mon Sep 17 00:00:00 2001 From: tkdn Date: Mon, 23 Jan 2023 11:55:38 +0900 Subject: [PATCH 1/3] Consider Rails LTS 5.2.8.15 - https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jul-21st-2022-version-5-2-8-15 --- gems/actionpack/CVE-2023-22792.yml | 3 ++- gems/actionpack/CVE-2023-22795.yml | 3 ++- gems/activerecord/CVE-2022-44566.yml | 3 ++- gems/activesupport/CVE-2023-22796.yml | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/gems/actionpack/CVE-2023-22792.yml b/gems/actionpack/CVE-2023-22792.yml index 2eec40f528..87dd7f960b 100644 --- a/gems/actionpack/CVE-2023-22792.yml +++ b/gems/actionpack/CVE-2023-22792.yml @@ -12,7 +12,7 @@ description: | Versions Affected: >= 3.0.0 Not affected: < 3.0.0 - Fixed Versions: 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 # Impact @@ -32,5 +32,6 @@ description: | unaffected_versions: - "< 3.0.0" patched_versions: +- "~> 5.2.8, >= 5.2.8.15" - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/actionpack/CVE-2023-22795.yml b/gems/actionpack/CVE-2023-22795.yml index fb15536452..a1e00612d5 100644 --- a/gems/actionpack/CVE-2023-22795.yml +++ b/gems/actionpack/CVE-2023-22795.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 # Impact @@ -32,5 +32,6 @@ description: |- Users on Ruby 3.2.0 or greater are not affected by this vulnerability. patched_versions: +- "~> 5.2.8, >= 5.2.8.15" - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activerecord/CVE-2022-44566.yml b/gems/activerecord/CVE-2022-44566.yml index 57bf61caad..1a3794df7f 100644 --- a/gems/activerecord/CVE-2022-44566.yml +++ b/gems/activerecord/CVE-2022-44566.yml @@ -13,7 +13,7 @@ description: | Versions Affected: All. Not affected: None. - Fixed Versions: 7.0.4.1, 6.1.7.1 + Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 # Impact @@ -28,5 +28,6 @@ description: | Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. patched_versions: +- "~> 5.2.8, >= 5.2.8.15" - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activesupport/CVE-2023-22796.yml b/gems/activesupport/CVE-2023-22796.yml index 68bf20d682..fbf4b75157 100644 --- a/gems/activesupport/CVE-2023-22796.yml +++ b/gems/activesupport/CVE-2023-22796.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 # Impact @@ -34,5 +34,6 @@ description: |- Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout. patched_versions: +- "~> 5.2.8, >= 5.2.8.15" - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" From 50d6e1d41cee434a3703598935e0bea41aecca51 Mon Sep 17 00:00:00 2001 From: tkdn Date: Mon, 23 Jan 2023 17:20:10 +0900 Subject: [PATCH 2/3] Add comments for rails LTS version - https://github.com/rubysec/ruby-advisory-db/pull/538#issuecomment-1399933336 --- gems/actionpack/CVE-2023-22792.yml | 4 ++-- gems/actionpack/CVE-2023-22795.yml | 4 ++-- gems/activerecord/CVE-2022-44566.yml | 4 ++-- gems/activesupport/CVE-2023-22796.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/gems/actionpack/CVE-2023-22792.yml b/gems/actionpack/CVE-2023-22792.yml index 87dd7f960b..ace191346f 100644 --- a/gems/actionpack/CVE-2023-22792.yml +++ b/gems/actionpack/CVE-2023-22792.yml @@ -12,7 +12,7 @@ description: | Versions Affected: >= 3.0.0 Not affected: < 3.0.0 - Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -32,6 +32,6 @@ description: | unaffected_versions: - "< 3.0.0" patched_versions: -- "~> 5.2.8, >= 5.2.8.15" +- "~> 5.2.8, >= 5.2.8.15" # rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/actionpack/CVE-2023-22795.yml b/gems/actionpack/CVE-2023-22795.yml index a1e00612d5..7562034604 100644 --- a/gems/actionpack/CVE-2023-22795.yml +++ b/gems/actionpack/CVE-2023-22795.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -32,6 +32,6 @@ description: |- Users on Ruby 3.2.0 or greater are not affected by this vulnerability. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" +- "~> 5.2.8, >= 5.2.8.15" # rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activerecord/CVE-2022-44566.yml b/gems/activerecord/CVE-2022-44566.yml index 1a3794df7f..4424bb6275 100644 --- a/gems/activerecord/CVE-2022-44566.yml +++ b/gems/activerecord/CVE-2022-44566.yml @@ -13,7 +13,7 @@ description: | Versions Affected: All. Not affected: None. - Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -28,6 +28,6 @@ description: | Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" +- "~> 5.2.8, >= 5.2.8.15" # rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activesupport/CVE-2023-22796.yml b/gems/activesupport/CVE-2023-22796.yml index fbf4b75157..def2cea2bc 100644 --- a/gems/activesupport/CVE-2023-22796.yml +++ b/gems/activesupport/CVE-2023-22796.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 5.2.8.15, 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -34,6 +34,6 @@ description: |- Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" +- "~> 5.2.8, >= 5.2.8.15" # rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" From 256f52cd723a930e69f74aeb8616cf0a5649f770 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Mon, 23 Jan 2023 10:14:48 -0800 Subject: [PATCH 3/3] Minor fixes --- gems/actionpack/CVE-2023-22792.yml | 4 ++-- gems/actionpack/CVE-2023-22795.yml | 4 ++-- gems/activerecord/CVE-2022-44566.yml | 4 ++-- gems/activesupport/CVE-2023-22796.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/gems/actionpack/CVE-2023-22792.yml b/gems/actionpack/CVE-2023-22792.yml index ace191346f..0e38c99a9d 100644 --- a/gems/actionpack/CVE-2023-22792.yml +++ b/gems/actionpack/CVE-2023-22792.yml @@ -12,7 +12,7 @@ description: | Versions Affected: >= 3.0.0 Not affected: < 3.0.0 - Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -32,6 +32,6 @@ description: | unaffected_versions: - "< 3.0.0" patched_versions: -- "~> 5.2.8, >= 5.2.8.15" # rails LTS +- "~> 5.2.8, >= 5.2.8.15" # Rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/actionpack/CVE-2023-22795.yml b/gems/actionpack/CVE-2023-22795.yml index 7562034604..d8ceac4023 100644 --- a/gems/actionpack/CVE-2023-22795.yml +++ b/gems/actionpack/CVE-2023-22795.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -32,6 +32,6 @@ description: |- Users on Ruby 3.2.0 or greater are not affected by this vulnerability. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" # rails LTS +- "~> 5.2.8, >= 5.2.8.15" # Rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activerecord/CVE-2022-44566.yml b/gems/activerecord/CVE-2022-44566.yml index 4424bb6275..9666bfe069 100644 --- a/gems/activerecord/CVE-2022-44566.yml +++ b/gems/activerecord/CVE-2022-44566.yml @@ -13,7 +13,7 @@ description: | Versions Affected: All. Not affected: None. - Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -28,6 +28,6 @@ description: | Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" # rails LTS +- "~> 5.2.8, >= 5.2.8.15" # Rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1" diff --git a/gems/activesupport/CVE-2023-22796.yml b/gems/activesupport/CVE-2023-22796.yml index def2cea2bc..778e972c11 100644 --- a/gems/activesupport/CVE-2023-22796.yml +++ b/gems/activesupport/CVE-2023-22796.yml @@ -12,7 +12,7 @@ description: |- Versions Affected: All Not affected: None - Fixed Versions: 5.2.8.15(rails LTS), 6.1.7.1, 7.0.4.1 + Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 # Impact @@ -34,6 +34,6 @@ description: |- Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout. patched_versions: -- "~> 5.2.8, >= 5.2.8.15" # rails LTS +- "~> 5.2.8, >= 5.2.8.15" # Rails LTS - "~> 6.1.7, >= 6.1.7.1" - ">= 7.0.4.1"