[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)


On 06/11/19 11:47 am, Brian May wrote:
> Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
>> I am not quite sure about what should we do here because the update (DLA
>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>> problems as reported in #125.
>> Because for now, #121 + #126 = actual CVE fix. But the login problem
>> remains.
> I guess we have three options:
> 1. Do nothing.
> 2. Revert the #121 patch, because it could break. I haven't seen any
> complaints however...

Whilst that is true, I'd rather not want someone to face an "unexpected
response" error.
Though I hope no one is using that feature yet :)

> 3. Apply the #126 patch too. Not 100% convinced this is a justified
> change for LTS, but it "looks right".
> 4. Wait longer for possible upstream solution to #125.
> Any opinions?

I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: