Skip to content

GHSA SYNC: 1 brand new advisory #970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jasnow wants to merge 12 commits into
base: master
Choose a base branch
from
Open

GHSA SYNC: 1 brand new advisory #970

jasnow wants to merge 12 commits into from

Conversation

@jasnow
Copy link
Contributor

@jasnow jasnow commented Jan 23, 2026
edited
Loading

GHSA SYNC: 1 brand new advisory

postmodern
postmodern requested changes Jan 31, 2026
View reviewed changes
jasnow added 3 commits January 31, 2026 08:14
@jasnow
Remove non-functional link from CVE-2025-7207.yml
201cf82 
Removed a non-functional link from the CVE YAML file.
@jasnow
Update CVE-2025-7207.yml with patch notes
3cf1458
@jasnow
Combine 2 notes: fields into one.
d756f4c 
Updated notes to clarify that mruby 3.5.0 has not been released as of 1/23/2026.
@jasnow jasnow requested a review from postmodern January 31, 2026 13:25
@jasnow jasnow changed the title GHSA SYNC: 1 enhanced and 1 brand new advisory GHSA SYNC: 1 brand new advisory Jan 31, 2026
@jasnow
Copy link
Contributor Author

jasnow commented Jan 31, 2026

Now deleted.

@postmodern
Copy link
Member

postmodern commented Feb 7, 2026

GitHub is saying rubies/ruby/CVE-2024-27282.yml has conflicting changes now and won't let me resolve them.

@jasnow
Copy link
Contributor Author

jasnow commented Feb 8, 2026

All green - now try it again.

postmodern
postmodern requested changes Feb 8, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need clarification on something. The advisory description mentions that the vulnerability was found in versions "up to 3.4.0-rc2". However, version 3.4.0 was tagged after 3.4.0-rc2. Is this a mistake and should it say "up to and including 3.4.0", or was the vulnerability actually fixed in 3.4.0?

@jasnow
Copy link
Contributor Author

jasnow commented Feb 8, 2026

back online - will check

@jasnow
Clarify that ISS#6509 is going into 3.5.0 (yet to be released)
4a345c8 
Clarify that ISS#6509 is going into 3.5.0 (yet to be released)
@jasnow
Copy link
Contributor Author

jasnow commented Feb 8, 2026

I expect the patch to be part of 3.5.0 when it is released.

postmodern
postmodern requested changes Feb 8, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wording changes requested, if you agree.

rubies/mruby/CVE-2025-7207.yml
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-7207
- https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9.patch
- https://github.com/mruby/mruby/blob/master/NEWS.md
Copy link
Member

@postmodern postmodern Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also should be https://github.com/mruby/mruby/blob/6f321251785c2396cb7e6a576ac2080c1adb4491/NEWS.md.

Copy link
Member

@postmodern postmodern Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old URL is still there.

postmodern
postmodern requested changes Feb 9, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed some YAML issues. Also, the old NEWS.md URL is still listed. Also, not sure why the mruby 3.4.0 and 3.3.0 blog posts are listed as well?

rubies/mruby/CVE-2025-7207.yml
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-7207
- https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9.patch
- https://github.com/mruby/mruby/blob/master/NEWS.md
Copy link
Member

@postmodern postmodern Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old URL is still there.

rubies/mruby/CVE-2025-7207.yml
- https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9.patch
- https://github.com/mruby/mruby/blob/master/NEWS.md
- https://mruby.org/releases/2025/04/20/mruby-3.4.0-released.html
- https://mruby.org/releases/2024/02/14/mruby-3.3.0-released.html
Copy link
Member

@postmodern postmodern Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious why the 3.4.0 and 3.3.0 blog posts are listed as they do not fix issue 6509 or even mention it?

rubies/mruby/CVE-2025-7207.yml
notes: |
- Not patched - mruby 3.5.0 has not been released as of 2026/02/07.
- Found Issue #6509 listed in **unreleased** mruby 3.5 file listed below.
url:
Copy link
Member

@postmodern postmodern Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appears that related: disappeared? This causes url: to be consumed by notes: | above.

@postmodern postmodern added linting YAML Linting and removed need clarification linting YAML Linting labels Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasnow @postmodern