Re: Security issues in standards (ruby-openid / CVE-2019-11027)

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>, debian-lts@lists.debian.org
Subject: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
From: Brian May <bam@debian.org>
Date: Wed, 06 Nov 2019 17:17:46 +1100
Message-id: <[🔎] 87zhh95y0l.fsf@silverfish.pri>
In-reply-to: <866124d1-3e67-db23-ef82-4c1cd33542d4@gmail.com>
References: <87k1bit4ak.fsf@silverfish.pri> <878spu5tgs.fsf@silverfish.pri> <3de1e93a-82a0-84cf-2944-19df7f49d54c@gmail.com> <8736g15epk.fsf@silverfish.pri> <bb10748d-1819-cf13-ae99-e30563246956@gmail.com> <866124d1-3e67-db23-ef82-4c1cd33542d4@gmail.com>

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
> remains.

I guess we have three options:

1. Do nothing.
2. Revert the #121 patch, because it could break. I haven't seen any
complaints however...
3. Apply the #126 patch too. Not 100% convinced this is a justified
change for LTS, but it "looks right".
4. Wait longer for possible upstream solution to #125.

Any opinions?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Security issues in standards (ruby-openid / CVE-2019-11027)
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: LTS report for October 2019 - Abhijith PA
Next by Date: Introduction new LTS trainee
Previous by thread: LTS report for October 2019 - Abhijith PA
Next by thread: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Index(es):
- Date
- Thread