From 56f585b558f0b5ed7754ee24a4497bda9f13958d Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Sat, 14 Feb 2026 14:19:53 -0500
Subject: [PATCH 1/5] GHSA SYNC: 6 enhanced ruby advisories

---
 rubies/ruby/CVE-2005-2337.yml  | 32 ++++++++++++++++++++++++++++++++
 rubies/ruby/CVE-2006-6303.yml  | 25 +++++++++++++++++++++++++
 rubies/ruby/CVE-2008-1145.yml  | 29 +++++++++++++++++++++++++++++
 rubies/ruby/CVE-2017-14064.yml | 24 +++++++++++++++++++++++-
 rubies/ruby/CVE-2017-6181.yml  | 26 ++++++++++++++++++++++++++
 rubies/ruby/CVE-2019-16255.yml | 28 +++++++++++++++++++++++++++-
 6 files changed, 162 insertions(+), 2 deletions(-)
 create mode 100644 rubies/ruby/CVE-2005-2337.yml
 create mode 100644 rubies/ruby/CVE-2006-6303.yml
 create mode 100644 rubies/ruby/CVE-2008-1145.yml
 create mode 100644 rubies/ruby/CVE-2017-6181.yml

diff --git a/rubies/ruby/CVE-2005-2337.yml b/rubies/ruby/CVE-2005-2337.yml
new file mode 100644
index 0000000000..69b5f97eb9
--- /dev/null
+++ b/rubies/ruby/CVE-2005-2337.yml
@@ -0,0 +1,32 @@
+---
+engine: ruby
+cve: 2005-2337
+ghsa: w8mr-4m5w-x8wv
+url: https://nvd.nist.gov/vuln/detail/CVE-2005-2337
+title: Security Bypass Vulnerability with Ruby
+date: 2005-10-07
+description: |
+  The Ruby language has a security mechanism (security model) that
+  can restrict operations on untrusted objects. This security model
+  is based on mechanisms called "object taint" and "safe level."
+  A vulnerability has been confirmed that allows arbitrary script
+  execution by bypassing the "safe level" setting and taint
+  flag protections and execute disallowed code when Ruby
+  processes a program through standard input (stdin).
+cvss_v2: 7.5
+patched_versions:
+  - "~> 1.6.9"
+  - ">= 1.8.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2005-2337
+    - https://web.archive.org/web/20060104024955/https://www.ruby-lang.org/en/20051003.html
+    - https://jvn.jp/jp/JVN62914675/index.html
+
+    - http://www.debian.org/security/2005/dsa-860
+    - http://www.debian.org/security/2005/dsa-862
+    - http://www.debian.org/security/2005/dsa-864
+    - http://www.kb.cert.org/vuls/id/160012
+    - http://www.gentoo.org/security/en/glsa/glsa-200510-05.xml
+    - https://ubuntu.com/security/notices/USN-195-1
+    - https://github.com/advisories/GHSA-w8mr-4m5w-x8wv
diff --git a/rubies/ruby/CVE-2006-6303.yml b/rubies/ruby/CVE-2006-6303.yml
new file mode 100644
index 0000000000..2aa98dc51d
--- /dev/null
+++ b/rubies/ruby/CVE-2006-6303.yml
@@ -0,0 +1,25 @@
+---
+engine: ruby
+cve: 2006-6303
+ghsa: fx2r-qhmq-3jjp
+url: https://nvd.nist.gov/vuln/detail/CVE-2006-6303
+title: Another DoS Vulnerability in CGI Library
+date: 2006-12-06
+description: |
+  The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does
+  not properly detect boundaries in MIME multipart content, which
+  allows remote attackers to cause a denial of service (infinite
+  loop) via crafted HTTP requests, a different issue than CVE-2006-5467.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.8.5-p2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2006-6303
+    - http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library
+    - https://jvn.jp/jp/JVN84798830/index.html
+    - http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218287
+    - https://ubuntu.com/security/notices/USN-394-1
+    - http://bugs.gentoo.org/show_bug.cgi?id=157048
+    - http://security.gentoo.org/glsa/glsa-200612-21.xml
+    - https://github.com/advisories/GHSA-fx2r-qhmq-3jjp
diff --git a/rubies/ruby/CVE-2008-1145.yml b/rubies/ruby/CVE-2008-1145.yml
new file mode 100644
index 0000000000..55d234181d
--- /dev/null
+++ b/rubies/ruby/CVE-2008-1145.yml
@@ -0,0 +1,29 @@
+---
+engine: ruby
+cve: 2008-1145
+ghsa: f279-rf2r-m6m5
+url: https://nvd.nist.gov/vuln/detail/CVE-2008-1145
+title: Directory traversal vulnerability in WEBrick
+date: 2008-03-04
+description: |
+  Directory traversal vulnerability in WEBrick
+  when running on systems that support backslash () path separators
+  or case-insensitive file names, allows remote attackers to access
+  arbitrary files via (1) "..%5c" (encoded backslash) sequences or
+  (2) filenames that match patterns in the :NondisclosureName option.
+
+  NOTE: Fixes are mentioned in 2008/03/03 reference.
+cvss_v2: 5.0
+patched_versions:
+  - "~> 1.8.5.p115"
+  - "~> 1.8.6.p114"
+  - ">= 1.9.0.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-1145
+    - http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability
+    - https://www.exploit-db.com/exploits/5215
+    - http://www.kb.cert.org/vuls/id/404515
+    - http://support.apple.com/kb/HT2163
+    - http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
+    - https://github.com/advisories/GHSA-f279-rf2r-m6m5
diff --git a/rubies/ruby/CVE-2017-14064.yml b/rubies/ruby/CVE-2017-14064.yml
index f6933b8151..1fb6417fd8 100644
--- a/rubies/ruby/CVE-2017-14064.yml
+++ b/rubies/ruby/CVE-2017-14064.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2017-14064
-url: https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
+ghsa: 954h-8gv7-2q75
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-14064
 title: Heap exposure vulnerability in generating JSON
 date: 2017-09-14
 description: |
@@ -14,7 +15,28 @@ description: |
 
   The JSON library is also distributed as a gem. If you can’t upgrade Ruby
   itself, install JSON gem newer than version 2.0.4.
+cvss_v2: 7.5
+cvss_v3: 9.8
 patched_versions:
   - "~> 2.2.8"
   - "~> 2.3.5"
   - ">= 2.4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-14064
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released
+    - https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064
+    - https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85
+    - https://bugs.ruby-lang.org/issues/13853
+    - https://hackerone.com/reports/209949
+    - https://www.debian.org/security/2017/dsa-3966
+    - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+    - https://ubuntu.com/security/notices/USN-3685-1
+    - https://security.gentoo.org/glsa/201710-18
+    - https://access.redhat.com/errata/RHSA-2017:3485
+    - https://access.redhat.com/errata/RHSA-2018:0378
+    - https://access.redhat.com/errata/RHSA-2018:0583
+    - https://access.redhat.com/errata/RHSA-2018:0585
+    - https://github.com/advisories/GHSA-954h-8gv7-2q75
diff --git a/rubies/ruby/CVE-2017-6181.yml b/rubies/ruby/CVE-2017-6181.yml
new file mode 100644
index 0000000000..a5719c0de0
--- /dev/null
+++ b/rubies/ruby/CVE-2017-6181.yml
@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2017-6181
+ghsa: 5pfp-rwpx-xgfx
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-6181
+title: DoS caused by infinite recursion (stack overflow) in parse_char_class()
+date: 2017-04-03
+description: |
+  The parse_char_class function in regparse.c in the Onigmo (aka
+  Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
+  allows remote attackers to cause a denial of service (deep
+  recursion and application crash) via a crafted regular expression.
+
+  ## RELEASE NOTE
+  In bug report, found
+  - "Applied in changeset r57660" and
+  - "ruby_2_4 r57909 merged revision(s) 57660"
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 2.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-6181
+    - https://bugs.ruby-lang.org/issues/13234
+    - https://github.com/advisories/GHSA-5pfp-rwpx-xgfx
diff --git a/rubies/ruby/CVE-2019-16255.yml b/rubies/ruby/CVE-2019-16255.yml
index d41053fccb..b6cbd4958c 100644
--- a/rubies/ruby/CVE-2019-16255.yml
+++ b/rubies/ruby/CVE-2019-16255.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2019-16255
-url: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
+ghsa: ph7w-p94x-9vvw
+url: https://nvd.nist.gov/vuln/detail/CVE-2019-16255
 title: A code injection vulnerability of Shell#[] and Shell#test
 date: 2019-10-01
 description: |
@@ -13,8 +14,33 @@ description: |
   Users must never do it. However, we treat this particular case as a
   vulnerability because the purpose of Shell#[] and Shell#[] is considered file
   testing.
+
+  Note: Mentioned as being fixed in JRuby 9.3.0.0 release. URLs at bottom of list.
+cvss_v2: 6.8
+cvss_v3: 8.1
 patched_versions:
   - "~> 2.4.8"
   - "~> 2.5.7"
   - "~> 2.6.5"
   - "> 2.7.0-preview1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-16255
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released
+    - https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255
+    - https://seclists.org/bugtraq/2019/Dec/31
+    - https://seclists.org/bugtraq/2019/Dec/32
+    - https://www.debian.org/security/2019/dsa-4587
+    - https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
+    - https://security.gentoo.org/glsa/202003-06
+    - https://www.oracle.com/security-alerts/cpujan2020.html
+    - https://hackerone.com/reports/327512
+    - https://github.com/jruby/jruby/releases/tag/9.3.0.0
+    - https://github.com/jruby/jruby/issues/5126
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://github.com/advisories/GHSA-ph7w-p94x-9vvw

From edacdffdd0bb426b4c427f67d5e38edfe53a586d Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sat, 14 Feb 2026 12:47:09 -0800
Subject: [PATCH 2/5] Remove errant empty line in
 `rubies/ruby/CVE-2005-2337.yml`

---
 rubies/ruby/CVE-2005-2337.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rubies/ruby/CVE-2005-2337.yml b/rubies/ruby/CVE-2005-2337.yml
index 69b5f97eb9..88c1cc1b78 100644
--- a/rubies/ruby/CVE-2005-2337.yml
+++ b/rubies/ruby/CVE-2005-2337.yml
@@ -22,7 +22,6 @@ related:
     - https://nvd.nist.gov/vuln/detail/CVE-2005-2337
     - https://web.archive.org/web/20060104024955/https://www.ruby-lang.org/en/20051003.html
     - https://jvn.jp/jp/JVN62914675/index.html
-
     - http://www.debian.org/security/2005/dsa-860
     - http://www.debian.org/security/2005/dsa-862
     - http://www.debian.org/security/2005/dsa-864

From c3d3f021d5fda91ab121d6dd0d2feb4347313a57 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sat, 14 Feb 2026 12:49:44 -0800
Subject: [PATCH 3/5] Remove a `Note:` from the `description:` of
 `rubies/ruby/CVE-2019-16255.yml`.

* Any reviewer notes should go under the `notes:` key.
---
 rubies/ruby/CVE-2019-16255.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/rubies/ruby/CVE-2019-16255.yml b/rubies/ruby/CVE-2019-16255.yml
index b6cbd4958c..2db86c80b3 100644
--- a/rubies/ruby/CVE-2019-16255.yml
+++ b/rubies/ruby/CVE-2019-16255.yml
@@ -14,8 +14,6 @@ description: |
   Users must never do it. However, we treat this particular case as a
   vulnerability because the purpose of Shell#[] and Shell#[] is considered file
   testing.
-
-  Note: Mentioned as being fixed in JRuby 9.3.0.0 release. URLs at bottom of list.
 cvss_v2: 6.8
 cvss_v3: 8.1
 patched_versions:

From 3bf27e4f76bbb0f1b2756ecdd06597c077ccbe37 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sat, 14 Feb 2026 12:52:08 -0800
Subject: [PATCH 4/5] Remove `RELEASE NOTE` from the `description:` of
 `rubies/ruby/CVE-2017-6181.yml`

* Additional notes or internal commentary that are not in the original advisory should not be added to `description:`.
---
 rubies/ruby/CVE-2017-6181.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/rubies/ruby/CVE-2017-6181.yml b/rubies/ruby/CVE-2017-6181.yml
index a5719c0de0..2b7a917a0c 100644
--- a/rubies/ruby/CVE-2017-6181.yml
+++ b/rubies/ruby/CVE-2017-6181.yml
@@ -10,11 +10,6 @@ description: |
   Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
   allows remote attackers to cause a denial of service (deep
   recursion and application crash) via a crafted regular expression.
-
-  ## RELEASE NOTE
-  In bug report, found
-  - "Applied in changeset r57660" and
-  - "ruby_2_4 r57909 merged revision(s) 57660"
 cvss_v2: 5.0
 cvss_v3: 7.5
 patched_versions:

From 0f6cf85ed7da57080f5ed4505b06aea12ee567dc Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sat, 14 Feb 2026 12:53:44 -0800
Subject: [PATCH 5/5] Remove a `Note:` from the `description:` of
 `rubies/ruby/CVE-2008-1145.yml`

* Additional reviewer notes should go under the `notes:` key.
---
 rubies/ruby/CVE-2008-1145.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/rubies/ruby/CVE-2008-1145.yml b/rubies/ruby/CVE-2008-1145.yml
index 55d234181d..b6a44af92a 100644
--- a/rubies/ruby/CVE-2008-1145.yml
+++ b/rubies/ruby/CVE-2008-1145.yml
@@ -11,8 +11,6 @@ description: |
   or case-insensitive file names, allows remote attackers to access
   arbitrary files via (1) "..%5c" (encoded backslash) sequences or
   (2) filenames that match patterns in the :NondisclosureName option.
-
-  NOTE: Fixes are mentioned in 2008/03/03 reference.
 cvss_v2: 5.0
 patched_versions:
   - "~> 1.8.5.p115"