Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- To: Utkarsh Gupta <email@example.com>, firstname.lastname@example.org
- Subject: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
- From: Brian May <email@example.com>
- Date: Wed, 06 Nov 2019 17:17:46 +1100
- Message-id: <[🔎] firstname.lastname@example.org>
- In-reply-to: <email@example.com>
- References: <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <email@example.com>
Utkarsh Gupta <firstname.lastname@example.org> writes:
> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
I guess we have three options:
1. Do nothing.
2. Revert the #121 patch, because it could break. I haven't seen any
3. Apply the #126 patch too. Not 100% convinced this is a justified
change for LTS, but it "looks right".
4. Wait longer for possible upstream solution to #125.
Brian May <email@example.com>