ruby-advisory-db icon indicating copy to clipboard operation
ruby-advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rubysec

Incorrect vulnerable versions for passenger vuln

Open mveytsman opened this issue 10 years ago • 2 comments

This vulnerability https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/OSVDB-90738.yml affects versions 4.0.0.beta1 and 4.0.0.beta2 ( see http://old.blog.phusion.nl/2013/03/05/phusion-passenger-4-0-beta-1-and-2-arbitrary-file-deletion-vulnerability/)

The current patched_versions and unaffected_versions don't cover that.

Is it possible to write the conditions that will capture this vuln using only patched_versions and unaffected_versions, or do we need to add a vulnerable_versions field?

(cc @postmodern I ran some test cases with bundler_audit and it fails as well).

mveytsman avatar Jun 13 '15 04:06 mveytsman

Testing with rubygems, < 4.0.0 will include 4.0.0.beta.

dep = Gem::Requirement.new('< 4.0.0')
dep.satisfied_by?(Gem::Version.new('4.0.0.beta1'))
# => true

postmodern avatar Jun 18 '15 18:06 postmodern

From #rubygems:

<imperator> < 4.0.0.beta

Confirmed that < 4.0.0.beta excludes 4.0.0, 4.0.0.beta, 4.0.0.rc, 4.0.0.beta.

postmodern avatar Jun 18 '15 19:06 postmodern

This issue was "fixed" under the OSVDB renaming PR: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2012-6135.yml]

jasnow avatar Mar 21 '23 16:03 jasnow