[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)


I think we should consider to mark this package unsupported.

// Ola

On Tue, 13 Aug 2019 at 00:20, Brian May <bam@debian.org> wrote:

Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the
security issues orignate from problems with the standard. Which likely
means that all implementations are vulnerable.

As LTS developers, I don't think there is anything we can do with these
issues, because we cannot break the known standard in a LTS release just
to fix a security issue, as this would break applications that use this

I don't yet fully understand this security vulnerability, however the
researcher has recommended that detailed error messages be replaced by
generic errors. While this doesn't solve the security issue, it makes it
a little bit harder to exploit. So I guess this is something we could
do. Although I am unclear how we should mark this change up in the
security tracker...

There are also some recommendations for application developers. However
I don't see any applications in Debian/Jessie that depend on
ruby-openid. So I don't think we can do anything with these

Presumably that means anybody who who needs this library, has installed
it for locally installed applications. I see "find-work" has given
ruby-openid a score of 2.35%

It is also worth noting that there are other potential security issues
with this library, e.g. see

Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: