[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
> remains.

I guess we have three options:

1. Do nothing.
2. Revert the #121 patch, because it could break. I haven't seen any
complaints however...
3. Apply the #126 patch too. Not 100% convinced this is a justified
change for LTS, but it "looks right".
4. Wait longer for possible upstream solution to #125.

Any opinions?
Brian May <bam@debian.org>

Reply to: