ruby-advisory-db icon indicating copy to clipboard operation
ruby-advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rubysec

Merge the two sup vulnerabilities

Open mveytsman opened this issue 8 years ago • 5 comments

While https://github.com/rubysec/ruby-advisory-db/tree/master/gems/sup have different CVEs, it's the same vuln with the same fixed versions

Maybe we should merge them?

mveytsman avatar Jul 12 '15 22:07 mveytsman

If you check the CVE descriptions - one is for RCE via the filename, the second is for RCE via the content_type, so they are slightly different

jeremyolliver avatar Jul 12 '15 23:07 jeremyolliver

Yeah, rather keep CVEs separate. Just ran into this with #168. Saves a lot of historical work later by tracking them separately.

reedloden avatar Jul 20 '15 00:07 reedloden

Thinking about this more, I disagree.

We should have a schema to track other CVEs that a vulnerability refers to, but no reason to have 2 separate rubysec vulns for this. It only leads to confusion, since in our database they look like duplicates, and no one gains any new information by seeing the two entries.

The schema should look like:

other_cves: 
 - 2013-4478

mveytsman avatar Jul 28 '15 01:07 mveytsman

other_cves seems weird (which is the primary and which goes in other?)... any reason why not to permit cve to have multiple ones? In that case, what do you name the file?

reedloden avatar Jul 28 '15 01:07 reedloden

Agreed, it should be cve.

For now, for this particular file we can stick with the osvdb number.

It is high time we pick something else for file naming.

mveytsman avatar Jul 28 '15 01:07 mveytsman

@jasnow has added the related: CVE and GHSA IDs to the two vulnerabilities (PR #646) . We should avoid merging CVEs as they are supposed to be individually enumerated vulnerabilities.

postmodern avatar Jun 23 '23 16:06 postmodern