Hi I think we should consider to mark this package unsupported.
// Ola On Tue, 13 Aug 2019 at 00:20, Brian May <[email protected]> wrote: > Hello, > > Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the > security issues orignate from problems with the standard. Which likely > means that all implementations are vulnerable. > > As LTS developers, I don't think there is anything we can do with these > issues, because we cannot break the known standard in a LTS release just > to fix a security issue, as this would break applications that use this > library. > > I don't yet fully understand this security vulnerability, however the > researcher has recommended that detailed error messages be replaced by > generic errors. While this doesn't solve the security issue, it makes it > a little bit harder to exploit. So I guess this is something we could > do. Although I am unclear how we should mark this change up in the > security tracker... > > There are also some recommendations for application developers. However > I don't see any applications in Debian/Jessie that depend on > ruby-openid. So I don't think we can do anything with these > recommendations. > > Presumably that means anybody who who needs this library, has installed > it for locally installed applications. I see "find-work" has given > ruby-openid a score of 2.35% > > It is also worth noting that there are other potential security issues > with this library, e.g. see > https://github.com/openid/ruby-openid/issues/98 > > Regards > -- > Brian May <[email protected]> > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
