[Git][security-tracker-team/security-tracker][master] Declared CVE-2016-11086 as minor issue since the problem is exploitable if...

Ola Lundqvist opal at debian.org
Tue Dec 15 06:48:21 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
43736bcb by Ola Lundqvist at 2020-12-15T07:48:09+01:00
Declared CVE-2016-11086 as minor issue since the problem is exploitable if /etc/ssl/certs/ca-certificates.crt does not exist. However this file normally exists since ruby-oath depends on ruby who in turn depend on ca-certificates package which generates this file. This means that in Debian this file always eists unless the admin has intentionally removed it. So the package is vulnerable but typically not in Debian. Updating this vulnerability could even cause a regression because some server admin may intentionally have removed this file to not check the certificate.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13780,7 +13780,18 @@ CVE-2020-26098 (cPanel before 88.0.3 mishandles the Exim filter path, leading to
 	NOT-FOR-US: cPanel
 CVE-2016-11086 (lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby doe ...)
 	- ruby-oauth <unfixed> (bug #970932)
+	[stretch] - ruby-oauth <no-dsa> (Minor issue)
 	NOTE: https://github.com/oauth-xx/oauth-ruby/issues/137
+	NOTE: For jessie it is declared as minor issue since the package that
+	NOTE: must exist is generated by ca-certificates package and
+	NOTE: ca-certificates in the package dependency list. Hence even though
+	NOTE: the package is vulnerable the problem do not exist in Debian
+	NOTE: unless the admin has explicitly removed the file from the filesystem.
+	NOTE: Should probably be handled the same in other releases.
+	NOTE: Fixing this vulnerability can cause a regression in the case the
+	NOTE: admin has intentionally removed this file to not check certificates.
+	NOTE: It could therefore be considered as to be ignored but more should
+	NOTE: have an opinion about this before deciding that.
 CVE-2020-26097 (** UNSUPPORTED WHEN ASSIGNED ** The firmware of the PLANET Technology  ...)
 	NOT-FOR-US: PLANET Technology Corp NVR-915 and NVR-1615
 CVE-2020-26096


=====================================
data/dla-needed.txt
=====================================
@@ -148,8 +148,6 @@ ruby-kaminari
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
 --
-ruby-oauth
---
 shiro
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43736bcbaed5106cb2a830d444e6ed479884824e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43736bcbaed5106cb2a830d444e6ed479884824e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201215/4a39e9f4/attachment.html>

More information about the debian-security-tracker-commits mailing list