[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

Hi Sylvain, hi all,

On Thu, 7 Nov, 2019, 3:19 PM Sylvain Beucler, <beuc@beuc.net> wrote:

On 06/11/2019 21:14, Utkarsh Gupta wrote:
> On 06/11/19 11:47 am, Brian May wrote:
>> Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
>>> I am not quite sure about what should we do here because the update (DLA
>>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>>> problems as reported in #125.
>>> Because for now, #121 + #126 = actual CVE fix. But the login problem
>>> remains.
>> I guess we have three options:
>> 1. Do nothing.
>> 2. Revert the #121 patch, because it could break. I haven't seen any
>> complaints however...
> Whilst that is true, I'd rather not want someone to face an "unexpected
> response" error.
> Though I hope no one is using that feature yet :)
>> 3. Apply the #126 patch too. Not 100% convinced this is a justified
>> change for LTS, but it "looks right".
>> 4. Wait longer for possible upstream solution to #125.
>> Any opinions?
> I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd.
Do the package maintainers have an opinion on this?
This can help.

I recently fixed (by fixing, I mean importing the CVE fix, not the problem it causes) this in unstable and I'm one of the package maintainers now :)

Raphael, given that this package is low popcon and the vulnerability is
fuzzy, do you know if the sponsor for this package would be willing to
test fixes?

Given Raphael's last mail, I'm not sure if it could *really* be tested. What makes sense now is to wait for the upstream fix *until* someone who uses this library grumbles :)


Reply to: