Re: Security issues in standards (ruby-openid / CVE-2019-11027)
On 06/11/2019 21:14, Utkarsh Gupta wrote:
> On 06/11/19 11:47 am, Brian May wrote:
>> Utkarsh Gupta <firstname.lastname@example.org> writes:
>>> I am not quite sure about what should we do here because the update (DLA
>>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>>> problems as reported in #125.
>>> Because for now, #121 + #126 = actual CVE fix. But the login problem
>> I guess we have three options:
>> 1. Do nothing.
>> 2. Revert the #121 patch, because it could break. I haven't seen any
>> complaints however...
> Whilst that is true, I'd rather not want someone to face an "unexpected
> response" error.
> Though I hope no one is using that feature yet :)
>> 3. Apply the #126 patch too. Not 100% convinced this is a justified
>> change for LTS, but it "looks right".
>> 4. Wait longer for possible upstream solution to #125.
>> Any opinions?
> I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd.
Do the package maintainers have an opinion on this?
This can help.
Raphael, given that this package is low popcon and the vulnerability is
fuzzy, do you know if the sponsor for this package would be willing to