From c9ea30037681fe3bcbdcb18b28b13a5589a1f348 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Sat, 24 Jan 2026 14:51:55 -0500
Subject: [PATCH 1/2] GHSA SYNC: advisories (1 brand new and 1 updated)

---
 gems/activerecord/CVE-2013-3221.yml | 38 +++++++++++++++++++++++++++++
 rubies/ruby/CVE-2009-1904.yml       |  4 +--
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 gems/activerecord/CVE-2013-3221.yml

diff --git a/gems/activerecord/CVE-2013-3221.yml b/gems/activerecord/CVE-2013-3221.yml
new file mode 100644
index 0000000000..f3ef61def0
--- /dev/null
+++ b/gems/activerecord/CVE-2013-3221.yml
@@ -0,0 +1,38 @@
+---
+gem: activerecord
+framework: rails
+cve: 2013-3221
+ghsa: f57c-hx33-hvh8
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+title: Data-type injection vulnerability
+date: 2013-04-21
+description: |
+  The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x,
+  and 3.2.x does not ensure that the declared data type of a database
+  column is used during comparisons of input values to stored values
+  in that column, which makes it easier for remote attackers to
+  conduct data-type injection attacks against Ruby on Rails applications
+  via a crafted value, as demonstrated by unintended interaction
+  between the "typed XML" feature and a MySQL database.
+
+  ## RELEASE INFO
+  - Phrack writeup says that 'couple of days after the advisory the
+    issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296.
+    But "Indeed the vector is completely fixed as of Rails 4.2 almost
+    two years after the original advisory."
+cvss_v2: 6.4
+patched_versions:
+  - ">= 4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+    - https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9
+    - https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8
+    - https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce
+    - http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
+    - http://openwall.com/lists/oss-security/2013/02/06/7
+    - http://openwall.com/lists/oss-security/2013/04/24/7
+    - https://gist.github.com/marianposaceanu/5442275
+    - https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html
+    - https://github.com/advisories/GHSA-f57c-hx33-hvh8
+    - https://phrack.org/issues/69/12
diff --git a/rubies/ruby/CVE-2009-1904.yml b/rubies/ruby/CVE-2009-1904.yml
index 89e0fff5b3..00d2f3cd87 100644
--- a/rubies/ruby/CVE-2009-1904.yml
+++ b/rubies/ruby/CVE-2009-1904.yml
@@ -1,7 +1,7 @@
 ---
 engine: ruby
 cve: 2009-1904
-ghsa: v74x-h8vc-p3j5
+ghsa: prwc-wj59-8vwr
 osvdb: 55031
 url: https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
 title: "CVE-2009-1904 ruby: DoS vulnerability in BigDecimal"
@@ -19,5 +19,5 @@ related:
   url:
     - https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
     - https://nvd.nist.gov/vuln/detail/CVE-2009-1904
-    - https://github.com/advisories/GHSA-v74x-h8vc-p3j5
+    - https://github.com/advisories/GHSA-prwc-wj59-8vwr
     - http://www.osvdb.org/show/osvdb/55031

From e378f24ad6b0fdc218bd863ca8fdb7692c067025 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Fri, 30 Jan 2026 23:21:12 -0800
Subject: [PATCH 2/2] Use the full semantic version string.

---
 gems/activerecord/CVE-2013-3221.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gems/activerecord/CVE-2013-3221.yml b/gems/activerecord/CVE-2013-3221.yml
index f3ef61def0..80afb6639d 100644
--- a/gems/activerecord/CVE-2013-3221.yml
+++ b/gems/activerecord/CVE-2013-3221.yml
@@ -22,7 +22,7 @@ description: |
     two years after the original advisory."
 cvss_v2: 6.4
 patched_versions:
-  - ">= 4.2"
+  - ">= 4.2.0"
 related:
   url:
     - https://nvd.nist.gov/vuln/detail/CVE-2013-3221