Utkarsh Gupta writes:
> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?
Yes, that is my understanding. If the signature is checked, that makes
On 10/7/19 4:14 AM, Abhijith PA wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: ruby-mini-magick
Version: 3.8.1-1+deb8u1
CVE ID : CVE-2019-13574
Debian Bug : 931932
In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote
image filename co
*STOP sending [SECURITY] [XXX --] to howardn...@earthlink.org*
On 10/7/19 4:14 AM, Abhijith PA wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: ruby-mini-magick
Version: 3.8.1-1+deb8u1
CVE ID : CVE-2019-13574
Debian Bug : 931932
In lib/mini_m
On Mon, Oct 07, 2019 at 11:22:45PM +0200, Hugo Lefeuvre wrote:
> > This looks like a regression, indeed. I will provide a regression update
> > as soon as possible.
>
> Looks like I'm actually not the one who issued this update. Abhijith: do
> you want to handle this, or should I proceed with a f
