Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- To: Utkarsh Gupta <firstname.lastname@example.org>, email@example.com
- Subject: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- From: Brian May <firstname.lastname@example.org>
- Date: Wed, 06 Nov 2019 17:17:46 +1100
- Message-id: <[🔎] email@example.com>
- In-reply-to: <firstname.lastname@example.org>
- References: <email@example.com> <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org>
Utkarsh Gupta <email@example.com> writes:
> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
I guess we have three options:
1. Do nothing.
2. Revert the #121 patch, because it could break. I haven't seen any
3. Apply the #126 patch too. Not 100% convinced this is a justified
change for LTS, but it "looks right".
4. Wait longer for possible upstream solution to #125.
Brian May <firstname.lastname@example.org>