Source: ruby-openid Version: 2.7.0debian-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/openid/ruby-openid/issues/122
Hi, The following vulnerability was published for ruby-openid. CVE-2019-11027[0]: | Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable | flaw. This library is used by Rails web applications to integrate with | OpenID Providers. Severity can range from medium to critical, | depending on how a web application developer chose to employ the ruby- | openid library. Developers who based their OpenID integration heavily | on the "example app" provided by the project are at highest risk. Unfortunately there very scarce information available for this issue. SuSE folks did try to ask upstream in [1]. Originally the assignement seems to come from [2], but this as well does practiaclly not give enough information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11027 [1] https://github.com/openid/ruby-openid/issues/122 [2] https://marc.info/?l=openid-security&m=155154717027534&w=2 Regards, Salvatore