From 8f0c8dad36611637e462b89cf99316922cc7013b Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Fri, 13 Feb 2026 14:43:17 -0500
Subject: [PATCH 1/2] GHSA SYNC: 1 new advisory; 4 modified advisories

---
 rubies/ruby/CVE-2007-5770.yml  | 10 ++++++++++
 rubies/ruby/CVE-2009-0642.yml  | 10 ++++++++++
 rubies/ruby/CVE-2012-4464.yml  |  6 ++++++
 rubies/ruby/CVE-2014-6438.yml  | 23 +++++++++++++++++++++++
 rubies/ruby/CVE-2022-28739.yml |  8 ++++++++
 5 files changed, 57 insertions(+)
 create mode 100644 rubies/ruby/CVE-2014-6438.yml

diff --git a/rubies/ruby/CVE-2007-5770.yml b/rubies/ruby/CVE-2007-5770.yml
index da10d9033e..add274a076 100644
--- a/rubies/ruby/CVE-2007-5770.yml
+++ b/rubies/ruby/CVE-2007-5770.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2007-5770
+ghsa: mf83-c25g-48r6
 url: http://www.cvedetails.com/cve/CVE-2007-5770/
 title: Ruby Net::HTTPS library does not validate server certificate CN
 date: 2007-10-08
@@ -15,3 +16,12 @@ cvss_v2: 4.3
 patched_versions:
   - "~> 1.8.6.230"
   - ">= 1.8.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2007-5770
+    - https://bugzilla.redhat.com/show_bug.cgi?id=362081
+    - http://www.debian.org/security/2007/dsa-1410
+    - http://www.debian.org/security/2007/dsa-1411
+    - http://www.debian.org/security/2007/dsa-1412
+    - https://ubuntu.com/security/notices/USN-596-1
+    - https://github.com/advisories/GHSA-mf83-c25g-48r6
diff --git a/rubies/ruby/CVE-2009-0642.yml b/rubies/ruby/CVE-2009-0642.yml
index 4d75791891..45a9097712 100644
--- a/rubies/ruby/CVE-2009-0642.yml
+++ b/rubies/ruby/CVE-2009-0642.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2009-0642
+ghsa: 4gvm-4mw2-9fpv
 url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
 title: Ruby 'OCSP_basic_verify()' X.509 Certificate Verification Vulnerability
 date: 2009-01-29
@@ -15,3 +16,12 @@ patched_versions:
   - "~> 1.8.7.173"
   - "~> 1.9.1.129"
   - ">= 1.9.2.preview.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-0642
+    - https://web.archive.org/web/20111209131753/http://redmine.ruby-lang.org/issues/show/1091
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
+    - https://ubuntu.com/security/notices/USN-805-1
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/48761
+    - https://www.invicti.com/web-application-vulnerabilities/ruby-improper-authentication-vulnerability-cve-2009-0642
+    - https://github.com/advisories/GHSA-4gvm-4mw2-9fpv
diff --git a/rubies/ruby/CVE-2012-4464.yml b/rubies/ruby/CVE-2012-4464.yml
index 7a3352ea92..da3480ee4d 100644
--- a/rubies/ruby/CVE-2012-4464.yml
+++ b/rubies/ruby/CVE-2012-4464.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2012-4464
+ghsa: gjcp-rx5c-g849
 url: https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
 title: Ruby Exception#to_s / NameError#to_s Methods Safe Level Security Bypass
 date: 2012-10-12
@@ -15,3 +16,8 @@ cvss_v2: 5.0
 patched_versions:
   - "~> 1.8.7.371"
   - ">= 1.9.3.286"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-4464
+    - https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466
+    - https://github.com/advisories/GHSA-gjcp-rx5c-g849
diff --git a/rubies/ruby/CVE-2014-6438.yml b/rubies/ruby/CVE-2014-6438.yml
new file mode 100644
index 0000000000..fd1595da53
--- /dev/null
+++ b/rubies/ruby/CVE-2014-6438.yml
@@ -0,0 +1,23 @@
+---
+engine: ruby
+cve: 2014-6438
+ghsa: 2j3h-55rq-rj48
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-6438
+title: DoS Vulnerability associated with URI.decode_www_form_component method
+date: 2017-09-06
+description: |
+  The URI.decode_www_form_component method in Ruby before 1.9.2-p330
+  allows remote attackers to cause a denial of service (catastrophic
+  regular expression backtracking, resource consumption, or application
+  crash) via a crafted string.
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.9.2.p330"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-6438
+    - https://www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released
+    - https://github.com/ruby/www.ruby-lang.org/issues/817
+    - http://www.openwall.com/lists/oss-security/2015/07/13/6
+    - https://github.com/advisories/GHSA-2j3h-55rq-rj48
diff --git a/rubies/ruby/CVE-2022-28739.yml b/rubies/ruby/CVE-2022-28739.yml
index 136e4eaea4..5b78d00910 100644
--- a/rubies/ruby/CVE-2022-28739.yml
+++ b/rubies/ruby/CVE-2022-28739.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2022-28739
+ghsa: mvgc-rxvg-hqc6
 url: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
 title: Buffer overrun in String-to-Float conversion
 date: 2022-04-12
@@ -10,8 +11,15 @@ description: |
   Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.
 
   Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.
+cvss_v2: 4.3
+cvss_v3: 7.5
 patched_versions:
   - "~> 2.6.10"
   - "~> 2.7.6"
   - "~> 3.0.4"
   - ">= 3.1.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-28739
+    - https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739
+    - https://github.com/advisories/GHSA-mvgc-rxvg-hqc6

From 1547593bc780b34bd7412471fe069918c32fdffe Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Fri, 13 Feb 2026 21:31:45 -0500
Subject: [PATCH 2/2] GHSA SYNC: 5 modified advisories

---
 rubies/ruby/CVE-2008-2376.yml | 12 +++++++++++-
 rubies/ruby/CVE-2011-0188.yml | 10 +++++++++-
 rubies/ruby/CVE-2011-2686.yml | 14 +++++++++++++-
 rubies/ruby/CVE-2011-2705.yml | 12 ++++++++++++
 rubies/ruby/CVE-2012-4466.yml | 13 ++++++++++++-
 5 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/rubies/ruby/CVE-2008-2376.yml b/rubies/ruby/CVE-2008-2376.yml
index 9bcb46cad2..26f3981464 100644
--- a/rubies/ruby/CVE-2008-2376.yml
+++ b/rubies/ruby/CVE-2008-2376.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2008-2376
-url: http://www.openwall.com/lists/oss-security/2008/07/02/3
+ghsa: f7wf-fwmg-r7g3
+url: https://nvd.nist.gov/vuln/detail/CVE-2008-2376
 title: More ruby integer overflows (rb_ary_fill / Array#fill)
 date: 2008-06-30
 description: |
@@ -16,3 +17,12 @@ patched_versions:
   - "~> 1.8.6.286"
   - "~> 1.8.7.71"
   - ">= 1.9.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-2376
+    - https://web.archive.org/web/20211205152129/https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=17756&view=revision
+    - http://www.debian.org/security/2008/dsa-1612
+    - http://www.debian.org/security/2008/dsa-1618
+    - https://security.gentoo.org/glsa/200812-17
+    - http://www.openwall.com/lists/oss-security/2008/07/02/3
+    - https://github.com/advisories/GHSA-f7wf-fwmg-r7g3
diff --git a/rubies/ruby/CVE-2011-0188.yml b/rubies/ruby/CVE-2011-0188.yml
index e4066823b8..82c885672d 100644
--- a/rubies/ruby/CVE-2011-0188.yml
+++ b/rubies/ruby/CVE-2011-0188.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2011-0188
-url: https://github.com/ruby/ruby/commit/f83651ac30c7c776dee8a6a401c654757cb8d1c2
+ghsa: 6vch-6cgr-x9c3
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-0188
 title: Ruby memory corruption in BigDecimal on 64bit platforms
 date: 2011-03-01
 description: |
@@ -15,3 +16,10 @@ cvss_v2: 6.8
 patched_versions:
   - "~> 1.8.7.370"
   - ">= 1.9.3.preview.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2011-0188
+    - https://github.com/ruby/ruby/commit/f83651ac30c7c776dee8a6a401c654757cb8d1c2
+    - https://support.apple.com/en-us/103340
+    - https://bugzilla.redhat.com/show_bug.cgi?id=682332
+    - https://github.com/advisories/GHSA-6vch-6cgr-x9c3
diff --git a/rubies/ruby/CVE-2011-2686.yml b/rubies/ruby/CVE-2011-2686.yml
index 6d19137e4f..cdeed3d2ff 100644
--- a/rubies/ruby/CVE-2011-2686.yml
+++ b/rubies/ruby/CVE-2011-2686.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2011-2686
-url: https://osdir.com/ml/lang-ruby-core/2011-01/msg00917.html
+ghsa: g8g6-3p4h-6388
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-2686
 title: Ruby Random Number Generation Local Denial Of Service Vulnerability
 date: 2011-07-02
 description: |
@@ -15,3 +16,14 @@ unaffected_versions:
   - "< 1.8.6.399"
 patched_versions:
   - ">= 1.8.7.352"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2011-2686
+    - http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released
+    - https://github.com/ruby/ruby/blob/v1_8_7_352/ChangeLog
+    - https://bugzilla.redhat.com/show_bug.cgi?id=722415
+    - http://www.openwall.com/lists/oss-security/2011/07/11/1
+    - http://www.openwall.com/lists/oss-security/2011/07/12/14
+    - http://www.openwall.com/lists/oss-security/2011/07/20/1
+    - http://www.openwall.com/lists/oss-security/2011/07/20/16
+    - https://github.com/advisories/GHSA-g8g6-3p4h-6388
diff --git a/rubies/ruby/CVE-2011-2705.yml b/rubies/ruby/CVE-2011-2705.yml
index a7a03d9e81..5793599d73 100644
--- a/rubies/ruby/CVE-2011-2705.yml
+++ b/rubies/ruby/CVE-2011-2705.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2011-2705
+ghsa: wj5x-c2v9-7wwr
 url: https://redmine.ruby-lang.org/issues/4579
 title: Ruby Random Number Generation Local Denial Of Service Vulnerability
 date: 2011-07-02
@@ -14,3 +15,14 @@ cvss_v2: 5.0
 patched_versions:
   - "~> 1.8.7.352"
   - ">= 1.9.2.290"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2011-2705
+    - http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released
+    - https://github.com/ruby/ruby/blob//v1_8_7_352/ChangeLog
+    - https://bugzilla.redhat.com/show_bug.cgi?id=722415
+    - http://www.openwall.com/lists/oss-security/2011/07/12/14
+    - http://www.openwall.com/lists/oss-security/2011/07/11/1
+    - http://www.openwall.com/lists/oss-security/2011/07/20/1
+    - http://www.openwall.com/lists/oss-security/2011/07/20/16
+    - https://github.com/advisories/GHSA-wj5x-c2v9-7wwr
diff --git a/rubies/ruby/CVE-2012-4466.yml b/rubies/ruby/CVE-2012-4466.yml
index 1c3ac05838..301159b9c2 100644
--- a/rubies/ruby/CVE-2012-4466.yml
+++ b/rubies/ruby/CVE-2012-4466.yml
@@ -1,7 +1,8 @@
 ---
 engine: ruby
 cve: 2012-4466
-url: https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
+ghsa: gm9g-777x-3fp6
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-4466
 title: Ruby name_err_mesg_to_str Method Safe Level Security Bypass
 date: 2012-10-12
 description: |
@@ -14,3 +15,13 @@ cvss_v2: 5.0
 patched_versions:
   - "~> 1.8.7.371"
   - ">= 1.9.3.286"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-4466
+    - https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466
+    - https://web.archive.org/web/20210120155544/https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
+    - http://www.openwall.com/lists/oss-security/2012/10/02/4
+    - http://www.openwall.com/lists/oss-security/2012/10/03/9
+    - https://bugzilla.redhat.com/show_bug.cgi?id=862614
+    - https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294
+    - https://github.com/advisories/GHSA-gm9g-777x-3fp6