Allow Rails 4.2.6+ for 4.2.5.1 and 4.2.5.2 CVEs

Daniel Carral · Daniel Carral · commit c36af8e0c477 · 2016-03-10T08:39:44.000+01:00
Fix #244 using the two-part constraint syntax applied in #248
diff --git a/gems/actionpack/CVE-2015-7576.yml b/gems/actionpack/CVE-2015-7576.yml
@@ -111,6 +111,6 @@ description: |
 
 patched_versions:
   - "~> 5.0.0.beta1.1"
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
diff --git a/gems/actionpack/CVE-2015-7581.yml b/gems/actionpack/CVE-2015-7581.yml
@@ -51,5 +51,5 @@ unaffected_versions:
   - ">= 5.0.0.beta1"
 
 patched_versions:
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
diff --git a/gems/actionpack/CVE-2016-0751.yml b/gems/actionpack/CVE-2016-0751.yml
@@ -66,6 +66,6 @@ description: |
 
 patched_versions:
   - "~> 5.0.0.beta1.1"
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
diff --git a/gems/actionpack/CVE-2016-2098.yml b/gems/actionpack/CVE-2016-2098.yml
@@ -85,5 +85,5 @@ unaffected_versions:
 
 patched_versions:
   - "~> 3.2.22.2"
-  - "~> 4.1.14.2"
-  - ">= 4.2.5.2"
+  - "~> 4.2.5, >= 4.2.5.2"
+  - "~> 4.1.14, >= 4.1.14.2"
diff --git a/gems/actionview/CVE-2016-0752.yml b/gems/actionview/CVE-2016-0752.yml
@@ -87,6 +87,6 @@ description: |
 
 patched_versions:
   - "~> 5.0.0.beta1.1"
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
diff --git a/gems/actionview/CVE-2016-2097.yml b/gems/actionview/CVE-2016-2097.yml
@@ -86,4 +86,4 @@ unaffected_versions:
 
 patched_versions:
   - "~> 3.2.22.2"
-  - "~> 4.1.14.2"
+  - "~> 4.1.14, >= 4.1.14.2"
diff --git a/gems/activemodel/CVE-2016-0753.yml b/gems/activemodel/CVE-2016-0753.yml
@@ -88,5 +88,5 @@ unaffected_versions:
 
 patched_versions:
   - "~> 5.0.0.beta1.1"
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
diff --git a/gems/activerecord/CVE-2015-7577.yml b/gems/activerecord/CVE-2015-7577.yml
@@ -102,6 +102,6 @@ unaffected_versions:
 
 patched_versions:
   - "~> 5.0.0.beta1.1"
-  - ">= 4.2.5.1"
-  - "~> 4.1.14.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
diff --git a/rubies/ruby/CVE-2015-1855.yml b/rubies/ruby/CVE-2015-1855.yml
@@ -0,0 +1,17 @@
+---
+engine: ruby
+cve: 2015-1855
+url: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
+title: Ruby OpenSSL Hostname Verification
+date: 2015-04-13
+description: |
+  After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching
+  hostnames and particularly wildcard certificates.
+  Ruby’s OpenSSL extension will now provide a string-based matching algorithm which
+  follows more strict behavior, as recommended by these RFCs. In particular,
+  matching of more than one wildcard per subject/SAN is no-longer allowed. As well,
+  comparison of these values is now case-insensitive.
+patched_versions:
+  - ~> 2.0.0.645
+  - ~> 2.1.6
+  - ~> 2.2.2
