techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.7K
active users

#ghsa

0 posts0 participants0 posts today
NFL News<p>An historic look at the first-ever GHSA Class 3A football champions <a href="https://www.rawchili.com/nfl/178713/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/nfl/178713/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/3aBlog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>3aBlog</span></a> <a href="https://channels.im/tags/ClassificationBlogs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClassificationBlogs</span></a> <a href="https://channels.im/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a> <a href="https://channels.im/tags/Football" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Football</span></a> <a href="https://channels.im/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://channels.im/tags/HighSchool" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchool</span></a> <a href="https://channels.im/tags/HighSchoolSports" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchoolSports</span></a> <a href="https://channels.im/tags/SethEllerbeeBlog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SethEllerbeeBlog</span></a></p>
postmodern<p><del>Could someone on <span class="h-card" translate="no"><a href="https://infosec.exchange/@github" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>github</span></a></span>'s GHSA team please look at these PRs to remove obvious duplicate advisories? It's been a week now and still waiting.</del></p><ul><li><del><a href="https://github.com/github/advisory-database/pull/5622" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/5622</span></a></del></li><li><del><a href="https://github.com/github/advisory-database/pull/5624" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/5624</span></a></del></li></ul><p>Also this PR which was closed but removes an advisory that just simply references three other advisories affecting a project's dependency. Last time a checked you are not supposed to issue advisories for other advisories; unless you've vendored the vulnerable code.</p><ul><li><a href="https://github.com/github/advisory-database/pull/5625" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/5625</span></a></li></ul><p><a href="https://infosec.exchange/tags/github" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>github</span></a> <a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a></p>
postmodern<p>Anyone at <span class="h-card" translate="no"><a href="https://infosec.exchange/@github" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>github</span></a></span>'s GHSA team care to look into this PR that got closed? I believe I've found an <a href="https://rubygems.org/gems/omniauth-saml" rel="nofollow noopener" target="_blank">omniauth-saml</a> advisory that simply references three other GHSA advisories that affect one of it's dependencies, <a href="https://rubygems.org/gems/ruby-saml" rel="nofollow noopener" target="_blank">ruby-saml</a>. I see no evidence why a separate advisory needs to exist for omniauth-saml, when the security issues exist in ruby-saml, and can easily be upgraded independently of omniauth-saml (ex: <code>gem upgrade ruby-saml</code> / <code>bundle update ruby-saml</code>). This seems like a maintainer created yet another advisory simply to notify their users about other advisories affecting their dependencies, which seems like overkill and creates duplicate security advisory data. I think this GHSA advisory should be withdrawn/removed.<br><a href="https://github.com/github/advisory-database/pull/5625" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/5625</span></a></p><p><a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://infosec.exchange/tags/omniauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>omniauth</span></a> <a href="https://infosec.exchange/tags/saml" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>saml</span></a></p>
Sentinel Security<p>Don’t sleep on GHSA! 🛠️ Many security flaws are first disclosed through GitHub Security Advisories — long before they get a CVE. A solid vulnerability management strategy should include GHSA tracking. <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://mastodon.social/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://mastodon.social/tags/VulnerabilityManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityManagement</span></a> <a href="https://mastodon.social/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevSecOps</span></a></p>
Sentinel Security<p>🔒 Vulnerability management isn’t just CVEs — don’t forget GitHub Security Advisories (GHSA)! Many critical issues live only in repos before hitting NVD. Automate GHSA ingestion to stay ahead. <a href="https://mastodon.social/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://mastodon.social/tags/VulnManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnManagement</span></a> <a href="https://mastodon.social/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://mastodon.social/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevSecOps</span></a></p>
NFL News<p>Peach County Blanks Westside in Spring Football Matchup – 41NBC News <a href="https://www.rawchili.com/nfl/56544/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/nfl/56544/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/BibbCounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BibbCounty</span></a> <a href="https://channels.im/tags/Football" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Football</span></a> <a href="https://channels.im/tags/FortValley" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FortValley</span></a> <a href="https://channels.im/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://channels.im/tags/GhsaFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GhsaFootball</span></a> <a href="https://channels.im/tags/PeachCounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PeachCounty</span></a> <a href="https://channels.im/tags/PeachCountyTrojansFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PeachCountyTrojansFootball</span></a> <a href="https://channels.im/tags/SpringFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SpringFootball</span></a> <a href="https://channels.im/tags/TrojanStadium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TrojanStadium</span></a> <a href="https://channels.im/tags/WestsideSeminolesFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WestsideSeminolesFootball</span></a></p>
MLB News<p>Vikings advances to GHSA state baseball playoff finals <a href="https://www.rawchili.com/mlb/31166/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/31166/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/BaseballStatePlayoffFinals" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BaseballStatePlayoffFinals</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/LowndesVikingsBaseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LowndesVikingsBaseball</span></a> <a href="https://channels.im/tags/VikingsBaseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VikingsBaseball</span></a></p>
NFL News<p>Spring Football Heats Up in Middle Georgia With Four-Team Jamboree in Warner Robins – 41NBC News <a href="https://www.rawchili.com/nfl/51372/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/nfl/51372/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/BibbCounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BibbCounty</span></a> <a href="https://channels.im/tags/Football" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Football</span></a> <a href="https://channels.im/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://channels.im/tags/GhsaFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GhsaFootball</span></a> <a href="https://channels.im/tags/HoustonCounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HoustonCounty</span></a> <a href="https://channels.im/tags/HowardHuskiesFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HowardHuskiesFootball</span></a> <a href="https://channels.im/tags/McConnellTalbertStadium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>McConnellTalbertStadium</span></a> <a href="https://channels.im/tags/NortheastRaidersFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NortheastRaidersFootball</span></a> <a href="https://channels.im/tags/Perry" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Perry</span></a> <a href="https://channels.im/tags/PerryPanthersFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PerryPanthersFootball</span></a> <a href="https://channels.im/tags/SpringFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SpringFootball</span></a> <a href="https://channels.im/tags/TheMac" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TheMac</span></a> <a href="https://channels.im/tags/WarnerRobins" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WarnerRobins</span></a> <a href="https://channels.im/tags/WarnerRobinsDemonsFootball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WarnerRobinsDemonsFootball</span></a></p>
MLB News<p>GHSA Baseball: Decisive Game 3’s forced during Wednesday’s quarterfinals <a href="https://www.rawchili.com/mlb/13311/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/13311/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/HighSchool" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchool</span></a> <a href="https://channels.im/tags/HighSchoolSports" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchoolSports</span></a> <a href="https://channels.im/tags/MajorLeagueBaseballPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MajorLeagueBaseballPlayoffs</span></a> <a href="https://channels.im/tags/MajorLeagueBaseballPostseason" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MajorLeagueBaseballPostseason</span></a> <a href="https://channels.im/tags/MLB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLB</span></a> <a href="https://channels.im/tags/MLBPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLBPlayoffs</span></a> <a href="https://channels.im/tags/MLBPostseason" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLBPostseason</span></a></p>
MLB News<p>Class 3A Blog: Two top-ranked teams fall in quarterfinals; a look at the baseball playoffs <a href="https://www.rawchili.com/mlb/10108/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/10108/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/3aBlog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>3aBlog</span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/ClassificationBlogs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClassificationBlogs</span></a> <a href="https://channels.im/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/HighSchool" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchool</span></a> <a href="https://channels.im/tags/MajorLeagueBaseballPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MajorLeagueBaseballPlayoffs</span></a> <a href="https://channels.im/tags/MajorLeagueBaseballPostseason" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MajorLeagueBaseballPostseason</span></a> <a href="https://channels.im/tags/MLB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLB</span></a> <a href="https://channels.im/tags/MLBPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLBPlayoffs</span></a> <a href="https://channels.im/tags/MLBPostseason" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MLBPostseason</span></a></p>
MLB News<p>Wesleyan baseball looks for revenge against Lovett <a href="https://www.rawchili.com/mlb/8943/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/8943/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/A3aPrivateBlog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>A3aPrivateBlog</span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/ClassificationBlogs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClassificationBlogs</span></a> <a href="https://channels.im/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/HighSchool" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HighSchool</span></a> <a href="https://channels.im/tags/soccer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>soccer</span></a></p>
MLB News<p>Lafayette baseball sweeps Rural Region Championship, other scores <a href="https://www.rawchili.com/mlb/7115/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/7115/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/fhsaa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fhsaa</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/lafayette" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lafayette</span></a> <a href="https://channels.im/tags/soccer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>soccer</span></a> <a href="https://channels.im/tags/suwannee" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>suwannee</span></a> <a href="https://channels.im/tags/thomasville" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>thomasville</span></a></p>
MLB News<p>Vikings to host Brookwood in GHSA state baseball playoffs <a href="https://www.rawchili.com/mlb/4919/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">rawchili.com/mlb/4919/</span><span class="invisible"></span></a> <a href="https://channels.im/tags/2025GhsaStateBaseballPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2025GhsaStateBaseballPlayoffs</span></a> <a href="https://channels.im/tags/Baseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Baseball</span></a> <a href="https://channels.im/tags/GeorgiaHighSchoolAssociation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GeorgiaHighSchoolAssociation</span></a> <a href="https://channels.im/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://channels.im/tags/GhsaStateBaseballPlayoffs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GhsaStateBaseballPlayoffs</span></a> <a href="https://channels.im/tags/LowndesVikingsBaseball" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LowndesVikingsBaseball</span></a></p>
defnull<p>I'm finally allowed to speak about this nice little DoS vulnerability I found in <a href="https://chaos.social/tags/starlette" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>starlette</span></a> (and <a href="https://chaos.social/tags/FastAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FastAPI</span></a>). </p><p><a href="https://chaos.social/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a> <a href="https://www.cve.org/CVERecord?id=CVE-2024-47874" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cve.org/CVERecord?id=CVE-2024-</span><span class="invisible">47874</span></a><br><a href="https://chaos.social/tags/GHSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GHSA</span></a> <a href="https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/encode/starlette/se</span><span class="invisible">curity/advisories/GHSA-f96h-pmfr-66vw</span></a></p><p><a href="https://chaos.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://chaos.social/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a></p>
postmodern<p>Buckle up everybody, it's another advisory in a popular gem with no patch and slightly inaccurate details. This time affecting all versions of json-jwt:<br><a href="https://github.com/advisories/GHSA-c8v6-786g-vjx6" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/advisories/GHSA-c8v</span><span class="invisible">6-786g-vjx6</span></a></p><p>The GHSA and NVD entries claim 1.16.3 and below are affected, however the most recent version is 1.16.5, but I reviewed the diffs between the newer versions and don't see significant changes to the logic.</p><ul><li><a href="https://my.diffend.io/gems/json-jwt/1.16.3/1.16.4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">my.diffend.io/gems/json-jwt/1.</span><span class="invisible">16.3/1.16.4</span></a></li><li><a href="https://my.diffend.io/gems/json-jwt/1.16.4/1.16.5" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">my.diffend.io/gems/json-jwt/1.</span><span class="invisible">16.4/1.16.5</span></a></li></ul><p>The original advisory was created 2023-12-22, and 1.16.4 was published 2023-12-27, so that checks out as old information. I really wish someone would double check these advisories <em>before</em> they get added to databases.<br><a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://infosec.exchange/tags/rubysec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rubysec</span></a></p>
postmodern<p>More GHSA issues. Appears that the GHSA entries for <a href="https://github.com/advisories/GHSA-jjhx-jhvp-74wq" rel="nofollow noopener" target="_blank">CVE-2024-26142</a>, <a href="https://github.com/advisories/GHSA-9822-6m93-xqf4" rel="nofollow noopener" target="_blank">CVE-2024-26143</a>, and <a href="https://github.com/advisories/GHSA-8h22-8cf7-hq6g" rel="nofollow noopener" target="_blank">CVE-2024-26144</a> incorrectly list the "rails" main gem as being vulnerable, when the actual patches indicate that the actionpack and activestorage gems are vulnerable. Submitted PRs to fix that. Hopefully will get merged quickly so the GHSA data matches what we have in ruby-advisory-db.</p><p>My guess is GitHub's advisory importer script might be having some bugs, or someone was in a rush and listed rails because rails is in the advisory titles.<br><a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://infosec.exchange/tags/rails" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rails</span></a> <a href="https://infosec.exchange/tags/rubysec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rubysec</span></a></p>
postmodern<p>Ugh, my GHSA PR is blocked with a generic error message. <span class="h-card" translate="no"><a href="https://hachyderm.io/@github" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>github</span></a></span> <br><a href="https://github.com/github/advisory-database/pull/3751/checks?check_run_id=22053714947" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/3751/checks?check_run_id=22053714947</span></a><br><a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a></p>
postmodern<p>A bumpy week adding/updating advisories from GHSA to ruby-advisory-db. The recent Rails XSS and Rack ReDoS advisories didn't show up in GHSA immediately, so I had to manually add those to ruby-advisory-db from the Rails Forum where they now post security advisories.</p><p>Now a rack-cors package file permission advisory (CVE-2024-27456) that claimed to effect all versions, but after <a href="https://github.com/cyu/rack-cors/issues/274" rel="nofollow noopener" target="_blank">closer inspection</a> (only a few hours ago!) of the <code>.gem</code> packages it only affects version 2.0.1. Thankfully people submitted PRs to ruby-advisory-db so bundler-audit will no longer erroneously flag rack-cors &lt; 2.0.1. I submitted a PR back to GHSA to update the rack-cors advisory information. Team work makes the dream work.</p><p>Sorry everyone for the CI disruptions.<br><a href="https://github.com/github/advisory-database/pull/3751" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/github/advisory-dat</span><span class="invisible">abase/pull/3751</span></a><br><a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a> <a href="https://infosec.exchange/tags/rubysec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rubysec</span></a> <a href="https://infosec.exchange/tags/bundleraudit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bundleraudit</span></a> <a href="https://infosec.exchange/tags/ruby" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ruby</span></a></p>
:mima_rule: Mima-sama<p><span>Hey </span><a href="https://makai.chaotic.ninja/tags/Mastodon" rel="nofollow noopener" target="_blank">#Mastodon</a><span> admins, just a reminder that the details of the critical </span><a href="https://makai.chaotic.ninja/tags/security" rel="nofollow noopener" target="_blank">#security</a><span> vulnerability </span><a href="https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw" rel="nofollow noopener" target="_blank"><span>GHSA-3fjr-858r-92rw/CVE-2024-23832</span></a><span> is going to be released </span><i><span>tomorrow</span></i><span>. </span>​:MokouWha:​<span> I still see some instances out there running a vulnerable version... </span>​:koishtare:​<span> Sent a DM to the admins of those instances of course. </span>​:cirno_fumo_yes:​<span> Please upgrade to a patched version (like 4.2.5 and 4.1.13) as soon as possible. </span>​:RumiaPray:​<span><br><br></span><a href="https://makai.chaotic.ninja/tags/MastoAdmin" rel="nofollow noopener" target="_blank">#MastoAdmin</a><span> </span><a href="https://makai.chaotic.ninja/tags/FediAdmin" rel="nofollow noopener" target="_blank">#FediAdmin</a><span> </span><a href="https://makai.chaotic.ninja/tags/CVE-2024-23832" rel="nofollow noopener" target="_blank">#CVE-2024-23832</a><span> </span><a href="https://makai.chaotic.ninja/tags/CVE202423832" rel="nofollow noopener" target="_blank">#CVE202423832</a><span> </span><a href="https://makai.chaotic.ninja/tags/CVE_2024_23832" rel="nofollow noopener" target="_blank">#CVE_2024_23832</a><span> </span><a href="https://makai.chaotic.ninja/tags/CVE" rel="nofollow noopener" target="_blank">#CVE</a><span> </span><a href="https://makai.chaotic.ninja/tags/GHSA-3fjr-858r-92rw" rel="nofollow noopener" target="_blank">#GHSA-3fjr-858r-92rw</a><span> </span><a href="https://makai.chaotic.ninja/tags/GHSA3fjr858r92rw" rel="nofollow noopener" target="_blank">#GHSA3fjr858r92rw</a><span> </span><a href="https://makai.chaotic.ninja/tags/GHSA_3fjr_858r_92rw" rel="nofollow noopener" target="_blank">#GHSA_3fjr_858r_92rw</a><span> </span><a href="https://makai.chaotic.ninja/tags/GHSA" rel="nofollow noopener" target="_blank">#GHSA</a><span> </span><a href="https://makai.chaotic.ninja/tags/GitHub" rel="nofollow noopener" target="_blank">#GitHub</a><span> </span><a href="https://makai.chaotic.ninja/tags/GitHubsecurityadvisory" rel="nofollow noopener" target="_blank">#GitHubsecurityadvisory</a><span> </span><a href="https://makai.chaotic.ninja/tags/cybersecurity" rel="nofollow noopener" target="_blank">#cybersecurity</a><span> </span><a href="https://makai.chaotic.ninja/tags/OriginValidation" rel="nofollow noopener" target="_blank">#OriginValidation</a></p>
postmodern<p>What really grinds my gears is how often CVE or GHSA advisory information is incorrect; incorrect package names or incorrect version ranges. Seems to result from incorrectly summarization of the original advisory, or sloppy auto-parsing code that attempts to extract the package name or versions. The CVE community / GHSA team really needs to address this issue and somehow tighten double-checking of information.<br><a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://infosec.exchange/tags/ghsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ghsa</span></a></p>