[Git][security-tracker-team/security-tracker][master] Details of ruby-openid security vulnerability published

Mon, 12 Aug 2019 00:38:13 -0700 


Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4192bab2 by Brian May at 2019-08-12T07:34:16Z
Details of ruby-openid security vulnerability published

"the source of the weakness can be traced back to the Final OpenID 2.0
spec"

As such, am concerned this could affect other openid 2.0
implementations.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -11466,7 +11466,7 @@ CVE-2015-9284 (The request phase of the OmniAuth Ruby 
gem is vulnerable to Cross
 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely 
exploitable ...)
        - ruby-openid <undetermined> (bug #930388)
        NOTE: https://github.com/openid/ruby-openid/issues/122
-       NOTE: Even upstream doesn't know what this is about at this point
+       NOTE: 
https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
 CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 
has infini ...)
        - poppler <unfixed> (low; bug #926721)
        [buster] - poppler <ignored> (Minor issue)


=====================================
data/dla-needed.txt
=====================================
@@ -110,6 +110,7 @@ ruby-openid
   NOTE: 20190705: Pinged bug (lamby)
   NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see 
https://github.com/openid/ruby-openid/issues/122) so returning to the pool. 
(lamby)
   NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) 
(lamby)
+  NOTE: 20190812: Details: 
https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
 --
 slurm-llnl
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to