Hello,
Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the
security issues orignate from problems with the standard. Which likely
means that all implementations are vulnerable.
As LTS developers, I don't think there is anything we can do with these
issues, because we cannot break the known standard in a LTS release just
to fix a security issue, as this would break applications that use this
library.
I don't yet fully understand this security vulnerability, however the
researcher has recommended that detailed error messages be replaced by
generic errors. While this doesn't solve the security issue, it makes it
a little bit harder to exploit. So I guess this is something we could
do. Although I am unclear how we should mark this change up in the
security tracker...
There are also some recommendations for application developers. However
I don't see any applications in Debian/Jessie that depend on
ruby-openid. So I don't think we can do anything with these
recommendations.
Presumably that means anybody who who needs this library, has installed
it for locally installed applications. I see "find-work" has given
ruby-openid a score of 2.35%
It is also worth noting that there are other potential security issues
with this library, e.g. see
https://github.com/openid/ruby-openid/issues/98
Regards
--
Brian May <bam@debian.org>