[Git][security-tracker-team/security-tracker][master] Details of ruby-openid security vulnerability published
Brian May
bam at debian.org
Mon Aug 12 08:37:07 BST 2019
Brian May pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4192bab2 by Brian May at 2019-08-12T07:34:16Z
Details of ruby-openid security vulnerability published
"the source of the weakness can be traced back to the Final OpenID 2.0
spec"
As such, am concerned this could affect other openid 2.0
implementations.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -11466,7 +11466,7 @@ CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross
CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...)
- ruby-openid <undetermined> (bug #930388)
NOTE: https://github.com/openid/ruby-openid/issues/122
- NOTE: Even upstream doesn't know what this is about at this point
+ NOTE: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infini ...)
- poppler <unfixed> (low; bug #926721)
[buster] - poppler <ignored> (Minor issue)
=====================================
data/dla-needed.txt
=====================================
@@ -110,6 +110,7 @@ ruby-openid
NOTE: 20190705: Pinged bug (lamby)
NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby)
NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby)
+ NOTE: 20190812: Details: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
--
slurm-llnl
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190812/10c7f96f/attachment.html>
More information about the debian-security-tracker-commits
mailing list