Skip to content

GHSA SYNC: Advisories (2 mruby and 1 mrubyc brand new) plus schema change#971

Merged
postmodern merged 4 commits intorubysec:masterfrom
jasnow:ghsa-syncbot-2026-01-23-19_38_20
Jan 31, 2026
Merged

GHSA SYNC: Advisories (2 mruby and 1 mrubyc brand new) plus schema change#971
postmodern merged 4 commits intorubysec:masterfrom
jasnow:ghsa-syncbot-2026-01-23-19_38_20

Conversation

@jasnow
Copy link
Contributor

@jasnow jasnow commented Jan 24, 2026
edited
Loading

GHSA SYNC: Advisories (2 mruby and 1 mrubyc brand new) plus schema change

@jasnow jasnow changed the title GHSA SYNC: 2 mruby and 1 mrubyc brand new advisory plus schema change GHSA SYNC: Advisories (2 mruby and 1 mrubyc brand new) plus schema change Jan 24, 2026
@postmodern postmodern merged commit 8ba0f94 into rubysec:master Jan 31, 2026
1 check passed
postmodern
postmodern reviewed Jan 31, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to decide on a policy for when a patched version has not yet been released. Do we A) list the upcoming future version number B) omit patched_versions: to indicate that no official version is considered patched? I personally think it's confusing to instruct users to upgrade to a version that does not exist yet.

rubies/mruby/CVE-2025-12875.yml
cvss_v3: 7.8
cvss_v4: 4.8
patched_versions:
- ">= 3.5.0"
Copy link
Member

@postmodern postmodern Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. mruby 3.5.0 has not been released yet. patched_versions: should be omitted until 3.5.0 is released. Instructing users to upgrade to a version that does not exist yet is not helpful.

rubies/mruby/CVE-2025-13120.yml
cvss_v3: 5.5
cvss_v4: 4.8
patched_versions:
- ">= 3.5.0"
Copy link
Member

@postmodern postmodern Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. mruby 3.5.0 has not been released yet. patched_versions: should be omitted until 3.5.0 is released. Instructing users to upgrade to a version that does not exist yet is not helpful.

@jasnow
Copy link
Contributor Author

jasnow commented Jan 31, 2026

I suggest we use the notes: "Never patched" line in place of the patched_versions field (just like in the
github_advisory_sync.rb script).

@jasnow jasnow deleted the ghsa-syncbot-2026-01-23-19_38_20 branch January 31, 2026 13:10
@postmodern
Copy link
Member

postmodern commented Jan 31, 2026

I suggest we use the notes: "Never patched" line in place of the patched_versions field (just like in the github_advisory_sync.rb script).

I am not a fan of notes: as it is not really used by anything. Plus, omitting patched_versions: already indicates that no patches are available. I vote that we eliminate notes: Never patched as it is redundant information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasnow @postmodern