Separated jruby infro from ruby advisory plus new 2011 webrick advisory

rubies/jruby/CVE-2019-16255.yml

@@ -0,0 +1,31 @@
+---
+engine: jruby
+cve: 2019-16255
+ghsa: ph7w-p94x-9vvw
+url: https://nvd.nist.gov/vuln/detail/CVE-2019-16255
+title: A code injection vulnerability of Shell#[] and Shell#test
+date: 2019-10-01
+description: |
+  Shell#[] and its alias Shell#test defined in lib/shell.rb allow code
+  injection if the first argument (aka the “command” argument) is untrusted
+  data. An attacker can exploit this to call an arbitrary Ruby method.
+
+  Note that passing untrusted data to methods of Shell is dangerous in general.
+  Users must never do it. However, we treat this particular case as a
+  vulnerability because the purpose of Shell#[] and Shell#[] is considered file
+  testing.
+cvss_v2: 6.8
+cvss_v3: 8.1
+patched_versions:
+  - ">= 9.3.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-16255
+    - https://github.com/jruby/jruby/releases/tag/9.3.0.0
+    - https://github.com/jruby/jruby/issues/5126
+    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255
+    - https://hackerone.com/reports/327512
+    - https://github.com/advisories/GHSA-ph7w-p94x-9vvw

rubies/ruby/CVE-2011-3624.yml

@@ -0,0 +1,39 @@
+---
+engine: ruby
+cve: 2011-3624
+ghsa: rc82-v3mm-rhj2
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-3624
+title: WEBrick::HTTPRequest X-Forwarded-* allows arbitrary data
+date: 2019-11-25
+description: |
+  Various methods in WEBrick::HTTPRequest do not validate the
+  X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in
+  requests, which might allow remote attackers to inject arbitrary text
+  into log files or bypass intended address parsing via a crafted header.
+cvss_v2: 5.0
+cvss_v3: 5.3
+patched_versions:
+  - "~> 1.9.2"
+  - ">= 3.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2011-3624
+    - https://www.ruby-lang.org/en/news/2020/12/25/ruby-3-0-0-released
+    - https://github.com/ruby/ruby/blob/v3_0_0/NEWS.md
+    - https://bugs.ruby-lang.org/issues/17303
+    - https://raw.githubusercontent.com/ruby/ruby/refs/heads/ruby_1_9_2/ChangeLog
+    - https://access.redhat.com/security/cve/cve-2011-3624
+    - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624
+    - https://security-tracker.debian.org/tracker/CVE-2011-3624
+    - https://github.com/advisories/GHSA-rc82-v3mm-rhj2
+notes: |
+  - Ruby 3.0.0 was the release when webrick was moved into a separate gem.
+  - Did not find references to 1.8.7 fix.
+  - Found this in above 1.9.2 ChangeLog. Unclear if connected.
+    -- Fri Jun 24 19:57:30 2011  Hiroshi Nakamura  <nahi@ruby-lang.org>
+       * lib/webrick/httprequest.rb (setup_forwarded_info): Parsing request
+         header failed when the request is from 2 or more Apache reverse
+         proxies. It's said that all X-Forwarded-* headers will contain more
+        than one (comma-separated) value if the original request already
+        contained one of these headers.  Since we could use these values as
+        Host header, we choose the initial(first) value. See #4922.

rubies/ruby/CVE-2019-16255.yml

@@ -36,9 +36,4 @@ related:
     - https://security.gentoo.org/glsa/202003-06
     - https://www.oracle.com/security-alerts/cpujan2020.html
     - https://hackerone.com/reports/327512
-    - https://github.com/jruby/jruby/releases/tag/9.3.0.0
-    - https://github.com/jruby/jruby/issues/5126
-    - https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
-    - https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
-    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
     - https://github.com/advisories/GHSA-ph7w-p94x-9vvw