Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- To: Utkarsh Gupta <guptautkarsh2102@gmail.com>, debian-lts@lists.debian.org
- Subject: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- From: Brian May <bam@debian.org>
- Date: Wed, 06 Nov 2019 17:17:46 +1100
- Message-id: <[🔎] 87zhh95y0l.fsf@silverfish.pri>
- In-reply-to: <866124d1-3e67-db23-ef82-4c1cd33542d4@gmail.com>
- References: <87k1bit4ak.fsf@silverfish.pri> <878spu5tgs.fsf@silverfish.pri> <3de1e93a-82a0-84cf-2944-19df7f49d54c@gmail.com> <8736g15epk.fsf@silverfish.pri> <bb10748d-1819-cf13-ae99-e30563246956@gmail.com> <866124d1-3e67-db23-ef82-4c1cd33542d4@gmail.com>
Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
> remains.
I guess we have three options:
1. Do nothing.
2. Revert the #121 patch, because it could break. I haven't seen any
complaints however...
3. Apply the #126 patch too. Not 100% convinced this is a justified
change for LTS, but it "looks right".
4. Wait longer for possible upstream solution to #125.
Any opinions?
--
Brian May <bam@debian.org>
Reply to: