Re: Security issues in standards (ruby-openid / CVE-2019-11027)

To: debian-lts@lists.debian.org
Subject: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
From: Brian May <bam@debian.org>
Date: Thu, 10 Oct 2019 16:53:11 +1100
Message-id: <[🔎] 8736g15epk.fsf@silverfish.pri>
In-reply-to: <[🔎] 3de1e93a-82a0-84cf-2944-19df7f49d54c@gmail.com>
References: <87k1bit4ak.fsf@silverfish.pri> <[🔎] 878spu5tgs.fsf@silverfish.pri> <[🔎] 3de1e93a-82a0-84cf-2944-19df7f49d54c@gmail.com>

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?

Yes, that is my understanding. If the signature is checked, that makes
it impossible for a third party to change the claimed_id URL, rendering
the attack impossible.

I don't claim to be an expert on this however.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Security issues in standards (ruby-openid / CVE-2019-11027)
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

References:
- Re: Security issues in standards (ruby-openid / CVE-2019-11027)
  - From: Brian May <bam@debian.org>
- Re: Security issues in standards (ruby-openid / CVE-2019-11027)
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Please STOP sending [SECURITY] [XXX ----------] howardnoon@earthlink.org
Next by Date: Re: libsdl2 patches cause regressions in Jessie
Previous by thread: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Next by thread: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Index(es):
- Date
- Thread