Sync with GitHub Security Advisories

* Add advisories for fat_free_crm/CVE-2022-39281, google-protobuf/CVE-2022-3171,
  katello/CVE-2019-14825, nokogiri/GHSA-2qc6-mcvw-92cw, and sqlite3/GHSA-mgvv-5mxp-xq67

* Add CVSSv3 score for sanitize/CVE-2018-3740

Author: reedloden

gems/fat_free_crm/CVE-2022-39281.yml

@@ -0,0 +1,50 @@
+---
+gem: fat_free_crm
+cve: 2022-39281
+ghsa: p75c-5x3h-cxcg
+url: https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-p75c-5x3h-cxcg
+title: Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
+date: 2022-10-07
+description: |+
+  ### Impact
+  An authenticated user can perform a remote Denial of Service attack against
+  Fat Free CRM.
+
+  This vulnerability has been assigned the CVE identifier: CVE-2022-39281
+
+  Affected versions: All
+  Not affected: None
+  Fixed versions: 0.20.1
+
+  All users running an affected release should either upgrade or apply the patch
+  immediately.
+
+  ### Releases
+  Fixed versions: 0.20.1 and above
+
+  ### Patches
+
+  If you are unable to upgrade immediately, you should apply the following
+  patch.
+
+  ```
+  diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
+  index d3d5c32c..7cdb24d6 100644
+  --- a/app/models/polymorphic/task.rb
+  +++ b/app/models/polymorphic/task.rb
+  @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
+     #----------------------------------------------------------------------------
+     def self.bucket_empty?(bucket, user, view = "pending")
+       return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+  +    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
+
+       if view == "assigned"
+         assigned_by(user).send(bucket).pending.count
+  ```
+cvss_v3: 6.5
+patched_versions:
+- ">= 0.20.1"
+related:
+  url:
+  - https://github.com/fatfreecrm/fat_free_crm/commit/c85a2546348c2692d32f952c753f7f0b43d1ca71
+  - https://github.com/fatfreecrm/fat_free_crm/releases/tag/v0.20.1

gems/google-protobuf/CVE-2022-3171.yml

@@ -0,0 +1,51 @@
+---
+gem: google-protobuf
+platform: jruby
+cve: 2022-3171
+ghsa: h4h5-3hr4-j3g2
+url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
+title: protobuf-java has a potential Denial of Service issue
+date: 2022-10-04
+description: |
+  ## Summary
+  A potential Denial of Service issue in `protobuf-java` core and lite was
+  discovered in the parsing procedure for binary and text format data.
+  Input streams containing multiple instances of non-repeated [embedded
+  messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded)
+  with repeated or unknown fields causes objects to be converted back-n-forth
+  between mutable and immutable forms, resulting in potentially long garbage
+  collection pauses.
+
+  Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)
+
+  Affected versions: This issue affects both the Java full and lite Protobuf
+  runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the
+  Java Protobuf runtime.
+
+  ## Severity
+
+  [CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171)
+  Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
+
+  ## Remediation and Mitigation
+
+  Please update to the latest available versions of the following packages:
+
+  * protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+  * protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+  * protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+  * protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+  * google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
+cvss_v3: 5.7
+patched_versions:
+- "~> 3.16.3"
+- "~> 3.19.6"
+- "~> 3.20.3"
+- ">= 3.21.7"
+related:
+  url:
+  - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
+  - https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
+  - https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
+  - https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
+  - https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3

gems/katello/CVE-2019-14825.yml

@@ -0,0 +1,24 @@
+---
+gem: katello
+cve: 2019-14825
+ghsa: m4wh-848j-9w2r
+url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825
+title: Katello cleartext password storage issue
+date: 2022-05-24
+description: |
+  A cleartext password storage issue was discovered in Katello, versions
+  3.x.x.x before katello 3.12.2. Registry credentials used during container image
+  discovery were inadvertently logged without being masked. This flaw could expose
+  the registry credentials to other privileged users.
+cvss_v3: 2.7
+patched_versions:
+- ">= 3.12.2"
+related:
+  url:
+  - https://github.com/Katello/katello/pull/8244
+  - https://github.com/Katello/katello/pull/8253
+  - https://github.com/Katello/katello/commit/332484232b66b7907a8104a19ea97eb697b75c79
+  - https://github.com/Katello/katello/commit/4eefa678a905140620ca8b390d48fe318d36e4ea
+  - https://bugzilla.redhat.com/show_bug.cgi?id=1730668
+  - https://github.com/Katello/katello/commits/3.12.2
+  - https://projects.theforeman.org/issues/27485

gems/nokogiri/GHSA-2qc6-mcvw-92cw.yml

@@ -0,0 +1,87 @@
+---
+gem: nokogiri
+ghsa: 2qc6-mcvw-92cw
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
+title: Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
+date: 2022-10-18
+description: |
+  ### Summary
+
+  Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to
+  [v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from
+  v2.9.14.
+
+  libxml2 v2.10.3 addresses the following known vulnerabilities:
+
+  - [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
+  - [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
+  - [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)
+
+  Please note that this advisory only applies to the CRuby implementation of
+  Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If
+  you've overridden defaults at installation time to use _system_ libraries
+  instead of packaged libraries, you should instead pay attention to your
+  distro's `libxml2` release announcements.
+
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.9`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated
+  mitigation: compile and link Nokogiri against external libraries libxml2
+  `>= 2.10.3` which will also address these same issues.
+
+
+  ### Impact
+
+  #### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
+
+  - **CVSS3 score**: Under evaluation
+  - **Type**: Denial of service
+  - **Description**: NULL Pointer Dereference allows attackers to cause a denial
+  of service (or application crash). This only applies when lxml is used
+  together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not
+  affected. It allows triggering crashes through forged input data, given a
+  vulnerable code sequence in the application. The vulnerability is caused by
+  the iterwalk function (also used by the canonicalize function). Such code
+  shouldn't be in wide-spread use, given that parsing + iterwalk would usually
+  be replaced with the more efficient iterparse function. However, an XML
+  converter that serialises to C14N would also be vulnerable, for example, and
+  there are legitimate use cases for this code sequence. If untrusted input is
+  received (also remotely) and processed via iterwalk function, a crash can be
+  triggered.
+
+  Nokogiri maintainers investigated at #2620 and determined this CVE does not
+  affect Nokogiri users.
+
+
+  #### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
+
+  - **CVSS3 score**: Unspecified upstream
+  - **Type**: Data corruption, denial of service
+  - **Description**: When an entity reference cycle is detected, the entity
+  content is cleared by setting its first byte to zero. But the entity content
+  might be allocated from a dict. In this case, the dict entry becomes corrupted
+  leading to all kinds of logic errors, including memory errors like
+  double-frees.
+
+  See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2
+
+
+  #### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)
+
+  - **CVSS3 score**: Unspecified upstream
+  - **Type**: Integer overflow
+  - **Description**: Integer overflows with XML_PARSE_HUGE
+
+  See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
+patched_versions:
+- ">= 1.13.19"
+related:
+  url:
+  - https://gitlab.gnome.org/GNOME/libxml2/-/releases
+  cve:
+  - 2022-2309
+  - 2022-40304
+  - 2022-40303

gems/sanitize/CVE-2018-3740.yml

@@ -13,11 +13,12 @@ description: |
 
   This can allow HTML and JavaScript injection, which could result in XSS
   if Sanitize's output is served to browsers.
+cvss_v3: 7.5
 unaffected_versions:
-- < 1.1.0
+- "< 1.1.0"
 patched_versions:
-- ~> 2.1.1
-- '>= 4.6.3'
+- "~> 2.1.1"
+- ">= 4.6.3"
 related:
   url:
   - https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e

gems/sqlite3/GHSA-mgvv-5mxp-xq67.yml

@@ -0,0 +1,54 @@
+---
+gem: sqlite3
+ghsa: mgvv-5mxp-xq67
+url: https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-mgvv-5mxp-xq67
+title: SQLite3 addresses vulnerability in packaged version of libsqlite
+date: 2022-10-03
+description: |-
+  ### Summary
+
+  The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from
+  v3.39.3 to [v3.39.4](https://sqlite.org/releaselog/3_39_4.html).
+
+  libsqlite v3.39.4 addresses a vulnerability described as follows in the
+  release notification:
+
+  > Version 3.39.4 is a minimal patch against the prior release that addresses
+  > issues found since the prior release. In particular, a potential
+  > vulnerability in the FTS3 extension has been fixed, so this should be
+  > considered a security update.
+  >
+  > In order to exploit the vulnerability, an attacker must have full SQL access
+  > and must be able to construct a corrupt database with over 2GB of FTS3
+  > content. The problem arises from a 32-bit signed integer overflow.
+
+  This vulnerability has not been assigned a CVE and does not have a severity
+  declared.
+
+  Please note that this advisory only applies to the sqlite3 gem v1.5.0, and
+  only if the packaged libsqlite is being used. If you've overridden defaults at
+  installation time to use system libraries instead of packaged libraries, you
+  should instead pay attention to your distro's libsqlite release announcements.
+
+
+  ### Mitigation
+
+  Upgrade to the rubygem sqlite3 v1.5.1 or later.
+
+  Users who are unable to upgrade the sqlite3 gem may also choose a more
+  complicated mitigation: compile and link sqlite3 against external libsqlite >=
+  3.39.4 which will also address these same issues.
+
+
+  ### References
+
+  - Upstream release notes: https://sqlite.org/releaselog/3_39_4.html
+  - Instructions for compiling against system libraries:
+    https://github.com/sparklemotion/sqlite3-ruby
+unaffected_versions:
+- "!= 1.5.0"
+patched_versions:
+- ">= 1.5.1"
+related:
+  url:
+  - https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v1.5.1