Add a bunch more advisories courtesy of GHSA sync script

Also, update GHSA sync script min_year to 2015

Author: reedloden

gems/delayed_job_web/CVE-2017-12097.yml

@@ -0,0 +1,17 @@
+---
+gem: delayed_job_web
+cve: 2017-12097
+url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449
+date: 2018-01-10
+title: delayed_job_web ruby gem XSS vulnerability via `queues` parameter
+description: |
+  An exploitable cross site scripting (XSS) vulnerability exists in the
+  filter functionality of the delayed_job_web ruby gem. A specially crafted
+  URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary
+  javascript on the victim's browser. An attacker can phish an authenticated user
+  to trigger this vulnerability.
+
+cvss_v3: 6.1
+
+patched_versions:
+  - ">= 1.4.2"

gems/mail/OSVDB-131677.yml gems/mail/CVE-2015-9097.ymlgems/mail/OSVDB-131677.yml renamed to gems/mail/CVE-2015-9097.yml

@@ -0,0 +1,16 @@
+---
+gem: openssl
+cve: 2016-7798
+url: https://github.com/ruby/openssl/issues/49
+date: 2017-10-24
+title: Incorrect handling of initialization vector in the GCM mode in OpenSSL
+description: |
+  The openssl gem for Ruby uses the same initialization vector (IV) in
+  GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for
+  context-dependent attackers to bypass the encryption protection mechanism.
+
+cvss_v3: 7.5
+cvss_v2: 5.0
+
+patched_versions:
+  - ">= 2.0.0"

gems/openssl/CVE-2016-7798.yml

@@ -0,0 +1,16 @@
+---
+gem: ox
+cve: 2017-15928
+url: https://github.com/ohler55/ox/issues/194
+date: 2017-10-27
+title: ox ruby gem segmentation fault via parse_obj
+description: |
+  In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation
+  fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated
+  "Ox should handle the error more gracefully" but has not confirmed a security implication.
+
+cvss_v3: 7.5
+cvss_v2: 5.0
+
+patched_versions:
+  - ">= 2.8.1"

gems/ox/CVE-2017-15928.yml

@@ -0,0 +1,16 @@
+---
+gem: ox
+cve: 2017-16229
+url: https://github.com/ohler55/ox/issues/195
+date: 2017-10-29
+title: ox ruby gem stack overflow in sax_parse
+description: |
+  In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based
+  buffer over-read in the read_from_str function in sax_buf.c when a crafted input
+  is supplied to sax_parse.
+
+cvss_v3: 5.5
+cvss_v2: 4.3
+
+patched_versions:
+  - ">= 2.8.2"

gems/ox/CVE-2017-16229.yml

@@ -0,0 +1,18 @@
+---
+gem: rack-protection
+cve: 2018-1000119
+url: https://github.com/sinatra/rack-protection/pull/98
+date: 2018-03-07
+title: rack-protection gem timing attack vulnerability when validating CSRF token
+description: |
+  Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains
+  a timing attack vulnerability in the CSRF token checking that can result in signatures
+  can be exposed. This attack appear to be exploitable via network connectivity to
+  the ruby application.
+
+cvss_v3: 5.9
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 1.5.5
+  - ">= 2.0.0"

gems/rack-protection/CVE-2018-1000119.yml

@@ -0,0 +1,12 @@
+---
+gem: radiant
+cve: 2018-5216
+url: https://github.com/imsebao/404team/blob/master/radiantcms.md
+date: 2018-01-04
+title: Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content cross site scripting
+description: |
+  Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content
+  parameter to an admin/pages/*/edit resource.
+
+cvss_v3: 5.4
+cvss_v2: 3.5

gems/radiant/CVE-2018-5216.yml

@@ -0,0 +1,22 @@
+---
+gem: rails_admin
+cve: 2017-12098
+url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
+date: 2018-01-10
+title: rails_admin ruby gem XSS vulnerability
+description: |
+  An exploitable cross site scripting (XSS) vulnerability exists in the
+  add filter functionality of the rails_admin rails gem version 1.2.0. A specially
+  crafted URL can cause an XSS flaw resulting in an attacker being able to execute
+  arbitrary javascript on the victim's browser. An attacker can phish an authenticated
+  user to trigger this vulnerability.
+
+cvss_v3: 6.1
+cvss_v2: 4.3
+
+patched_versions:
+  - ">= 1.3.0"
+
+related:
+  url:
+    - https://github.com/sferik/rails_admin/issues/2985

gems/rails_admin/CVE-2017-12098.yml

@@ -0,0 +1,15 @@
+---
+gem: rest-client
+cve: 2015-3448
+url: https://github.com/rest-client/rest-client/issues/349
+date: 2017-10-24
+title: rest-client ruby gem logs sensitive information
+description: |
+  REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and
+  passwords, which allows local users to obtain sensitive information by reading the
+  log.
+
+cvss_v2: 2.1
+
+patched_versions:
+  - ">= 1.7.3"

gems/rest-client/CVE-2015-3448.yml

@@ -0,0 +1,19 @@
+---
+gem: sinatra
+cve: 2018-7212
+url: https://github.com/sinatra/sinatra/pull/1379
+date: 2018-01-09
+title: sinatra ruby gem path traversal via backslash characters on Windows
+description: |
+An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb
+  in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash
+  characters.
+
+cvss_v3: 5.3
+cvss_v2: 5.0
+
+patched_versions:
+- ">= 2.0.1"
+
+unaffected_versions:
+- "< 2.0.0"