From 3f28d3fd339aaf8c5c8778aaf7d3f0553e3267ba Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 8 Feb 2026 12:01:44 -0500 Subject: [PATCH 1/3] GHSA SYNC: 1 new advisory; 2 modified advisories --- rubies/jruby/CVE-2011-4838.yml | 2 ++ rubies/jruby/CVE-2019-16254.yml | 32 ++++++++++++++++++++++++++++++++ rubies/ruby/CVE-2011-4815.yml | 2 ++ 3 files changed, 36 insertions(+) create mode 100644 rubies/jruby/CVE-2019-16254.yml diff --git a/rubies/jruby/CVE-2011-4838.yml b/rubies/jruby/CVE-2011-4838.yml index bc8889302a..80d5c34995 100644 --- a/rubies/jruby/CVE-2011-4838.yml +++ b/rubies/jruby/CVE-2011-4838.yml @@ -22,3 +22,5 @@ related: - https://www.kb.cert.org/vuls/id/903934 - https://exchange.xforce.ibmcloud.com/vulnerabilities/72019 - https://github.com/advisories/GHSA-cgqc-fqxr-q6r6 +notes: | + - CVE-2011-4815 is the same issue but Ruby. diff --git a/rubies/jruby/CVE-2019-16254.yml b/rubies/jruby/CVE-2019-16254.yml new file mode 100644 index 0000000000..0238efa016 --- /dev/null +++ b/rubies/jruby/CVE-2019-16254.yml @@ -0,0 +1,32 @@ +--- +engine: jruby +cve: 2019-16254 +ghsa: w9fp-2996-hhwx +url: https://nvd.nist.gov/vuln/detail/CVE-2019-16254 +title: HTTP response splitting in WEBrick (Additional fix) +date: 2019-10-01 +description: | + If a program using WEBrick inserts untrusted input into the response header, + an attacker can exploit it to insert a newline character to split a header, + and inject malicious content to deceive clients. + + This is the same issue as CVE-2017-17742. The previous fix was incomplete, + which addressed the CRLF vector, but did not address an isolated CR or an + isolated LF. +cvss_v2: 5.0 +cvss_v3: 5.3 +patched_versions: + - ">= 9.2.12.0" +related: + cve: + - CVE-2017-17742 + url: + - https://nvd.nist.gov/vuln/detail/CVE-2019-16254 + - https://github.com/jruby/jruby/releases/tag/9.2.12.0 + - https://github.com/jruby/jruby/pull/6308 + - https://github.com/jruby/jruby/issues/6304 + - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html + - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html + - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html + - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254 + - https://github.com/advisories/GHSA-w9fp-2996-hhwx diff --git a/rubies/ruby/CVE-2011-4815.yml b/rubies/ruby/CVE-2011-4815.yml index 17e5ec4fef..072b1b5775 100644 --- a/rubies/ruby/CVE-2011-4815.yml +++ b/rubies/ruby/CVE-2011-4815.yml @@ -22,3 +22,5 @@ related: - https://nvd.nist.gov/vuln/detail/CVE-2011-4815 - https://github.com/advisories/GHSA-xpr8-vpc7-7vfc - http://www.osvdb.org/show/osvdb/78118 +notes: | + - CVE-2011-4838 is the same issue but JRuby. From 546e22d9d34b5c2a7877973c7530a2870f7fb146 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sun, 8 Feb 2026 18:34:49 -0500 Subject: [PATCH 2/3] Fix typo in CVE-2011-4838.yml notes --- rubies/jruby/CVE-2011-4838.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/jruby/CVE-2011-4838.yml b/rubies/jruby/CVE-2011-4838.yml index 80d5c34995..41db31f915 100644 --- a/rubies/jruby/CVE-2011-4838.yml +++ b/rubies/jruby/CVE-2011-4838.yml @@ -23,4 +23,4 @@ related: - https://exchange.xforce.ibmcloud.com/vulnerabilities/72019 - https://github.com/advisories/GHSA-cgqc-fqxr-q6r6 notes: | - - CVE-2011-4815 is the same issue but Ruby. + - CVE-2011-4815 is the same issue but for Ruby. From c8e380cf4ba56c52ebcc21169da66ab8c425fc89 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sun, 8 Feb 2026 18:35:12 -0500 Subject: [PATCH 3/3] Fix typo in CVE-2011-4815.yml notes --- rubies/ruby/CVE-2011-4815.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2011-4815.yml b/rubies/ruby/CVE-2011-4815.yml index 072b1b5775..aa3e48b147 100644 --- a/rubies/ruby/CVE-2011-4815.yml +++ b/rubies/ruby/CVE-2011-4815.yml @@ -23,4 +23,4 @@ related: - https://github.com/advisories/GHSA-xpr8-vpc7-7vfc - http://www.osvdb.org/show/osvdb/78118 notes: | - - CVE-2011-4838 is the same issue but JRuby. + - CVE-2011-4838 is the same issue but for JRuby.