GHSA SYNC: 1 new advisory; 2 modified advisories

rubies/jruby/CVE-2011-4838.yml

@@ -22,3 +22,5 @@ related:
     - https://www.kb.cert.org/vuls/id/903934
     - https://exchange.xforce.ibmcloud.com/vulnerabilities/72019
     - https://github.com/advisories/GHSA-cgqc-fqxr-q6r6
+notes: |
+  - CVE-2011-4815 is the same issue but for Ruby.

rubies/jruby/CVE-2019-16254.yml

@@ -0,0 +1,32 @@
+---
+engine: jruby
+cve: 2019-16254
+ghsa: w9fp-2996-hhwx
+url: https://nvd.nist.gov/vuln/detail/CVE-2019-16254
+title: HTTP response splitting in WEBrick (Additional fix)
+date: 2019-10-01
+description: |
+  If a program using WEBrick inserts untrusted input into the response header,
+  an attacker can exploit it to insert a newline character to split a header,
+  and inject malicious content to deceive clients.
+
+  This is the same issue as CVE-2017-17742. The previous fix was incomplete,
+  which addressed the CRLF vector, but did not address an isolated CR or an
+  isolated LF.
+cvss_v2: 5.0
+cvss_v3: 5.3
+patched_versions:
+  - ">= 9.2.12.0"
+related:
+  cve:
+    - CVE-2017-17742
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-16254
+    - https://github.com/jruby/jruby/releases/tag/9.2.12.0
+    - https://github.com/jruby/jruby/pull/6308
+    - https://github.com/jruby/jruby/issues/6304
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
+    - https://github.com/advisories/GHSA-w9fp-2996-hhwx

rubies/ruby/CVE-2011-4815.yml

@@ -22,3 +22,5 @@ related:
     - https://nvd.nist.gov/vuln/detail/CVE-2011-4815
     - https://github.com/advisories/GHSA-xpr8-vpc7-7vfc
     - http://www.osvdb.org/show/osvdb/78118
+notes: |
+  - CVE-2011-4838 is the same issue but for JRuby.