Security issues in standards (ruby-openid / CVE-2019-11027)

[Brian May <bam@debian.org>]

Hello,

Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the
security issues orignate from problems with the standard. Which likely
means that all implementations are vulnerable.

As LTS developers, I don't think there is anything we can do with these
issues, because we cannot break the known standard in a LTS release just
to fix a security issue, as this would break applications that use this
library.

I don't yet fully understand this security vulnerability, however the
researcher has recommended that detailed error messages be replaced by
generic errors. While this doesn't solve the security issue, it makes it
a little bit harder to exploit. So I guess this is something we could
do. Although I am unclear how we should mark this change up in the
security tracker...

There are also some recommendations for application developers. However
I don't see any applications in Debian/Jessie that depend on
ruby-openid. So I don't think we can do anything with these
recommendations.

Presumably that means anybody who who needs this library, has installed
it for locally installed applications. I see "find-work" has given
ruby-openid a score of 2.35%

It is also worth noting that there are other potential security issues
with this library, e.g. see
https://github.com/openid/ruby-openid/issues/98

Regards
-- 
Brian May <bam@debian.org>