rubysec
diff --git a/‎advisories/_posts/2016-01-25-CVE-2015-7576.md
Lines changed: 102 additions & 39 deletions b/‎advisories/_posts/2016-01-25-CVE-2015-7576.md
Lines changed: 102 additions & 39 deletions
diff --git a/‎advisories/_posts/2016-01-25-CVE-2015-7577.md
Lines changed: 89 additions & 42 deletions b/‎advisories/_posts/2016-01-25-CVE-2015-7577.md
Lines changed: 89 additions & 42 deletions
diff --git a/‎advisories/_posts/2016-01-25-CVE-2016-0751.md
Lines changed: 57 additions & 23 deletions b/‎advisories/_posts/2016-01-25-CVE-2016-0751.md
Lines changed: 57 additions & 23 deletions
@@ -13,46 +13,109 @@ advisory:
   date: 2016-01-25
   url: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
   title: Timing attack vulnerability in basic authentication in Action Controller.
-  description: "There is a timing attack vulnerability in the basic authentication
-    support \nin Action Controller. This vulnerability has been assigned the CVE \nidentifier
-    CVE-2015-7576. \n\nVersions Affected:  All. \nNot affected:       None. \nFixed
-    Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 \n\nImpact \n------ \nDue
-    to the way that Action Controller compares user names and passwords in \nbasic
-    authentication authorization code, it is possible for an attacker to \nanalyze
-    the time taken by a response and intuit the password. \n\nFor example, this string
-    comparison: \n\n  \"foo\" == \"bar\" \n\nis possibly faster than this comparison:
-    \n\n  \"foo\" == \"fo1\" \n\nAttackers can use this information to attempt to
-    guess the username and \npassword used in the basic authentication system. \n\nYou
-    can tell you application is vulnerable to this attack by looking for \n`http_basic_authenticate_with`
-    method calls in your application. \n\nAll users running an affected release should
-    either upgrade or use one of \nthe workarounds immediately. \n\nReleases \n--------
-    \nThe FIXED releases are available at the normal locations. \n\nWorkarounds \n-----------
-    \nIf you can't upgrade, please use the following monkey patch in an initializer
-    \nthat is loaded before your application: \n\n``` \n$ cat config/initializers/basic_auth_fix.rb
-    \nmodule ActiveSupport \n  module SecurityUtils \n    def secure_compare(a, b)
-    \n      return false unless a.bytesize == b.bytesize \n\n      l = a.unpack \"C#{a.bytesize}\"
-    \n\n      res = 0 \n      b.each_byte { |byte| res |= byte ^ l.shift } \n      res
-    == 0 \n    end \n    module_function :secure_compare \n\n    def variable_size_secure_compare(a,
-    b) \n      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
-    \n    end \n    module_function :variable_size_secure_compare \n  end \nend \n\nmodule
-    ActionController \n  class Base \n    def self.http_basic_authenticate_with(options
-    = {}) \n      before_action(options.except(:name, :password, :realm)) do \n        authenticate_or_request_with_http_basic(options[:realm]
-    || \"Application\") do |name, password| \n          # This comparison uses & so
-    that it doesn't short circuit and \n          # uses `variable_size_secure_compare`
-    so that length information \n          # isn't leaked. \n          ActiveSupport::SecurityUtils.variable_size_secure_compare(name,
-    options[:name]) & \n            ActiveSupport::SecurityUtils.variable_size_secure_compare(password,
-    options[:password]) \n        end \n      end \n    end \n  end \nend \n``` \n\n\nPatches
-    \n------- \nTo aid users who aren't able to upgrade immediately we have provided
-    patches for \nthe two supported release series. They are in git-am format and
-    consist of a \nsingle changeset. \n\n* 4-1-basic_auth.patch - Patch for 4.1 series
-    \n* 4-2-basic_auth.patch - Patch for 4.2 series \n* 5-0-basic_auth.patch - Patch
-    for 5.0 series \n\nPlease note that only the 4.1.x and 4.2.x series are supported
-    at present. Users \nof earlier unsupported releases are advised to upgrade as
-    soon as possible as we \ncannot guarantee the continued availability of security
-    fixes for unsupported \nreleases. \n\nCredits \n------- \n\nThank you to Daniel
-    Waterworth for reporting the problem and working with us to \nfix it.\n"
+  description: |
+    There is a timing attack vulnerability in the basic authentication support
+    in Action Controller. This vulnerability has been assigned the CVE
+    identifier CVE-2015-7576.
+
+    Versions Affected:  All.
+    Not affected:       None.
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+    Impact
+    ------
+    Due to the way that Action Controller compares user names and passwords in
+    basic authentication authorization code, it is possible for an attacker to
+    analyze the time taken by a response and intuit the password.
+
+    For example, this string comparison:
+
+      "foo" == "bar"
+
+    is possibly faster than this comparison:
+
+      "foo" == "fo1"
+
+    Attackers can use this information to attempt to guess the username and
+    password used in the basic authentication system.
+
+    You can tell you application is vulnerable to this attack by looking for
+    `http_basic_authenticate_with` method calls in your application.
+
+    All users running an affected release should either upgrade or use one of
+    the workarounds immediately.
+
+    Releases
+    --------
+    The FIXED releases are available at the normal locations.
+
+    Workarounds
+    -----------
+    If you can't upgrade, please use the following monkey patch in an initializer
+    that is loaded before your application:
+
+    ```
+    $ cat config/initializers/basic_auth_fix.rb
+    module ActiveSupport
+      module SecurityUtils
+        def secure_compare(a, b)
+          return false unless a.bytesize == b.bytesize
+
+          l = a.unpack "C#{a.bytesize}"
+
+          res = 0
+          b.each_byte { |byte| res |= byte ^ l.shift }
+          res == 0
+        end
+        module_function :secure_compare
+
+        def variable_size_secure_compare(a, b)
+          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+        end
+        module_function :variable_size_secure_compare
+      end
+    end
+
+    module ActionController
+      class Base
+        def self.http_basic_authenticate_with(options = {})
+          before_action(options.except(:name, :password, :realm)) do
+            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
+              # This comparison uses & so that it doesn't short circuit and
+              # uses `variable_size_secure_compare` so that length information
+              # isn't leaked.
+              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+            end
+          end
+        end
+      end
+    end
+    ```
+
+
+    Patches
+    -------
+    To aid users who aren't able to upgrade immediately we have provided patches for
+    the two supported release series. They are in git-am format and consist of a
+    single changeset.
+
+    * 4-1-basic_auth.patch - Patch for 4.1 series
+    * 4-2-basic_auth.patch - Patch for 4.2 series
+    * 5-0-basic_auth.patch - Patch for 5.0 series
+
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+    of earlier unsupported releases are advised to upgrade as soon as possible as we
+    cannot guarantee the continued availability of security fixes for unsupported
+    releases.
+
+    Credits
+    -------
+
+    Thank you to Daniel Waterworth for reporting the problem and working with us to
+    fix it.
   patched_versions:
-  - "~> 5.0.0.beta1.1"
+  - ">= 5.0.0.beta1.1"
   - "~> 4.2.5, >= 4.2.5.1"
   - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
 
@@ -13,52 +13,99 @@ advisory:
   date: 2016-01-25
   url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
   title: Nested attributes rejection proc bypass in Active Record
-  description: "There is a vulnerability in how the nested attributes feature in Active
-    Record \nhandles updates in combination with destroy flags when destroying records
-    is \ndisabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
-    \n\nVersions Affected:  3.1.0 and newer \nNot affected:       3.0.x and older
-    \nFixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 \n\nImpact \n------
-    \nWhen using the nested attributes feature in Active Record you can prevent the
-    \ndestruction of associated records by passing the `allow_destroy: false` option
-    \nto the `accepts_nested_attributes_for` method. However due to a change in the
-    \ncommit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
-    \nbeing called because it assumes that the record will be destroyed anyway. \n\nHowever
-    this isn't true if `:allow_destroy` is false so this leads to changes \nthat would
-    have been rejected being applied to the record. Attackers could use \nthis do
-    things like set attributes to invalid values and to clear all of the \nattributes
-    amongst other things. The severity will be dependent on how the \napplication
-    has used this feature. \n\nAll users running an affected release should either
-    upgrade or use one of \nthe workarounds immediately. \n\nReleases \n-------- \nThe
-    FIXED releases are available at the normal locations. \n\nWorkarounds \n-----------
-    \nIf you can't upgrade, please use the following monkey patch in an initializer
-    \nthat is loaded before your application: \n\n``` \n$ cat config/initializers/nested_attributes_bypass_fix.rb
-    \nmodule ActiveRecord \n  module NestedAttributes \n    private \n\n    def reject_new_record?(association_name,
-    attributes) \n      will_be_destroyed?(association_name, attributes) || call_reject_if(association_name,
-    attributes) \n    end \n\n    def call_reject_if(association_name, attributes)
-    \n      return false if will_be_destroyed?(association_name, attributes) \n\n
-    \     case callback = self.nested_attributes_options[association_name][:reject_if]
-    \n      when Symbol \n        method(callback).arity == 0 ? send(callback) : send(callback,
-    attributes) \n      when Proc \n        callback.call(attributes) \n      end
-    \n    end \n\n    def will_be_destroyed?(association_name, attributes) \n      allow_destroy?(association_name)
-    && has_destroy_flag?(attributes) \n    end \n\n    def allow_destroy?(association_name)
-    \n      self.nested_attributes_options[association_name][:allow_destroy] \n    end
-    \n  end \nend \n``` \n\nPatches \n------- \nTo aid users who aren't able to upgrade
-    immediately we have provided patches for \nthe two supported release series. They
-    are in git-am format and consist of a \nsingle changeset. \n\n* 3-2-nested-attributes-reject-if-bypass.patch
-    - Patch for 3.2 series \n* 4-1-nested-attributes-reject-if-bypass.patch - Patch
-    for 4.1 series \n* 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2
-    series \n* 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
-    \n\nPlease note that only the 4.1.x and 4.2.x series are supported at present.
-    Users \nof earlier unsupported releases are advised to upgrade as soon as possible
-    as we \ncannot guarantee the continued availability of security fixes for unsupported
-    \nreleases. \n\nCredits \n------- \nThank you to Justin Coyne for reporting the
-    problem and working with us to fix it. \n\n[1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
-    \n"
+  description: |
+    There is a vulnerability in how the nested attributes feature in Active Record
+    handles updates in combination with destroy flags when destroying records is
+    disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
+
+    Versions Affected:  3.1.0 and newer
+    Not affected:       3.0.x and older
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+    Impact
+    ------
+    When using the nested attributes feature in Active Record you can prevent the
+    destruction of associated records by passing the `allow_destroy: false` option
+    to the `accepts_nested_attributes_for` method. However due to a change in the
+    commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
+    being called because it assumes that the record will be destroyed anyway.
+
+    However this isn't true if `:allow_destroy` is false so this leads to changes
+    that would have been rejected being applied to the record. Attackers could use
+    this do things like set attributes to invalid values and to clear all of the
+    attributes amongst other things. The severity will be dependent on how the
+    application has used this feature.
+
+    All users running an affected release should either upgrade or use one of
+    the workarounds immediately.
+
+    Releases
+    --------
+    The FIXED releases are available at the normal locations.
+
+    Workarounds
+    -----------
+    If you can't upgrade, please use the following monkey patch in an initializer
+    that is loaded before your application:
+
+    ```
+    $ cat config/initializers/nested_attributes_bypass_fix.rb
+    module ActiveRecord
+      module NestedAttributes
+        private
+
+        def reject_new_record?(association_name, attributes)
+          will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
+        end
+
+        def call_reject_if(association_name, attributes)
+          return false if will_be_destroyed?(association_name, attributes)
+
+          case callback = self.nested_attributes_options[association_name][:reject_if]
+          when Symbol
+            method(callback).arity == 0 ? send(callback) : send(callback, attributes)
+          when Proc
+            callback.call(attributes)
+          end
+        end
+
+        def will_be_destroyed?(association_name, attributes)
+          allow_destroy?(association_name) && has_destroy_flag?(attributes)
+        end
+
+        def allow_destroy?(association_name)
+          self.nested_attributes_options[association_name][:allow_destroy]
+        end
+      end
+    end
+    ```
+
+    Patches
+    -------
+    To aid users who aren't able to upgrade immediately we have provided patches for
+    the two supported release series. They are in git-am format and consist of a
+    single changeset.
+
+    * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
+    * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
+    * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
+    * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
+
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+    of earlier unsupported releases are advised to upgrade as soon as possible as we
+    cannot guarantee the continued availability of security fixes for unsupported
+    releases.
+
+    Credits
+    -------
+    Thank you to Justin Coyne for reporting the problem and working with us to fix it.
+
+    [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
   unaffected_versions:
   - "~> 3.0.0"
   - "< 3.0.0"
   patched_versions:
-  - "~> 5.0.0.beta1.1"
+  - ">= 5.0.0.beta1.1"
   - "~> 4.2.5, >= 4.2.5.1"
   - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"
 
@@ -13,30 +13,64 @@ advisory:
   date: 2016-01-25
   url: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
   title: Possible Object Leak and Denial of Service attack in Action Pack
-  description: "There is a possible object leak which can lead to a denial of service
-    \nvulnerability in Action Pack. This vulnerability has been \nassigned the CVE
-    identifier CVE-2016-0751. \n\nVersions Affected:  All. \nNot affected:       None.
-    \nFixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 \n\nImpact \n------
-    \nA carefully crafted accept header can cause a global cache of mime types to
-    \ngrow indefinitely which can lead to a possible denial of service attack in \nAction
-    Pack. \n\nAll users running an affected release should either upgrade or use one
-    of the \nworkarounds immediately. \n\nReleases \n-------- \nThe FIXED releases
-    are available at the normal locations. \n\nWorkarounds \n----------- \nThis attack
-    can be mitigated by a proxy that only allows known mime types in \nthe Accept
-    header. \n\nPlacing the following code in an initializer will also mitigate the
-    issue: \n\n```ruby \nrequire 'action_dispatch/http/mime_type' \n\nMime.const_set
-    :LOOKUP, Hash.new { |h,k| \n  Mime::Type.new(k) unless k.blank? \n} \n``` \n\nPatches
-    \n------- \nTo aid users who aren't able to upgrade immediately we have provided
-    patches for \nthe two supported release series. They are in git-am format and
-    consist of a \nsingle changeset. \n\n* 5-0-mime_types_leak.patch - Patch for 5.0
-    series \n* 4-2-mime_types_leak.patch - Patch for 4.2 series \n* 4-1-mime_types_leak.patch
-    - Patch for 4.1 series \n* 3-2-mime_types_leak.patch - Patch for 3.2 series \n\nPlease
-    note that only the 4.1.x and 4.2.x series are supported at present. Users \nof
-    earlier unsupported releases are advised to upgrade as soon as possible as we
-    \ncannot guarantee the continued availability of security fixes for unsupported
-    \nreleases. \n\nCredits \n------- \nAaron Patterson <3<3\n"
+  description: |
+    There is a possible object leak which can lead to a denial of service
+    vulnerability in Action Pack. This vulnerability has been
+    assigned the CVE identifier CVE-2016-0751.
+
+    Versions Affected:  All.
+    Not affected:       None.
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+    Impact
+    ------
+    A carefully crafted accept header can cause a global cache of mime types to
+    grow indefinitely which can lead to a possible denial of service attack in
+    Action Pack.
+
+    All users running an affected release should either upgrade or use one of the
+    workarounds immediately.
+
+    Releases
+    --------
+    The FIXED releases are available at the normal locations.
+
+    Workarounds
+    -----------
+    This attack can be mitigated by a proxy that only allows known mime types in
+    the Accept header.
+
+    Placing the following code in an initializer will also mitigate the issue:
+
+    ```ruby
+    require 'action_dispatch/http/mime_type'
+
+    Mime.const_set :LOOKUP, Hash.new { |h,k|
+      Mime::Type.new(k) unless k.blank?
+    }
+    ```
+
+    Patches
+    -------
+    To aid users who aren't able to upgrade immediately we have provided patches for
+    the two supported release series. They are in git-am format and consist of a
+    single changeset.
+
+    * 5-0-mime_types_leak.patch - Patch for 5.0 series
+    * 4-2-mime_types_leak.patch - Patch for 4.2 series
+    * 4-1-mime_types_leak.patch - Patch for 4.1 series
+    * 3-2-mime_types_leak.patch - Patch for 3.2 series
+
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+    of earlier unsupported releases are advised to upgrade as soon as possible as we
+    cannot guarantee the continued availability of security fixes for unsupported
+    releases.
+
+    Credits
+    -------
+    Aaron Patterson <3<3
   patched_versions:
-  - "~> 5.0.0.beta1.1"
+  - ">= 5.0.0.beta1.1"
   - "~> 4.2.5, >= 4.2.5.1"
   - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"