Your message dated Sat, 09 Nov 2019 00:06:22 +0000 with message-id <e1itegk-0009bm...@fasolo.debian.org> and subject line Bug#930388: fixed in ruby-openid 2.9.2debian-1 has caused the Debian Bug report #930388, regarding ruby-openid: CVE-2019-11027 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930388 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-openid Version: 2.7.0debian-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/openid/ruby-openid/issues/122 Hi, The following vulnerability was published for ruby-openid. CVE-2019-11027[0]: | Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable | flaw. This library is used by Rails web applications to integrate with | OpenID Providers. Severity can range from medium to critical, | depending on how a web application developer chose to employ the ruby- | openid library. Developers who based their OpenID integration heavily | on the "example app" provided by the project are at highest risk. Unfortunately there very scarce information available for this issue. SuSE folks did try to ask upstream in [1]. Originally the assignement seems to come from [2], but this as well does practiaclly not give enough information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11027 [1] https://github.com/openid/ruby-openid/issues/122 [2] https://marc.info/?l=openid-security&m=155154717027534&w=2 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-openid Source-Version: 2.9.2debian-1 We believe that the bug you reported is fixed in the latest version of ruby-openid, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <guptautkarsh2...@gmail.com> (supplier of updated ruby-openid package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Nov 2019 04:07:31 +0530 Source: ruby-openid Architecture: source Version: 2.9.2debian-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <guptautkarsh2...@gmail.com> Closes: 930388 Changes: ruby-openid (2.9.2debian-1) unstable; urgency=medium . * New upstream version 2.9.2debian (Closes: #930388) (Fixes: CVE-2019-11027) * Add salsa-ci.yml * Switch d/watch to g/h tarball * Add d/upstream/metadata * Update d/copyright * Add myself as an uploader * Fix package wrt cme - Bump Standards-Version to 4.4.1 - Bump debhelper-compat to 12 Checksums-Sha1: be944080200408d3fd66d42690912425eb8223b6 2211 ruby-openid_2.9.2debian-1.dsc ba691dd420a3a7cc5b5936df105a554b2ff1c039 512584 ruby-openid_2.9.2debian.orig.tar.gz ef7c39d3de8ad5abe3b75e3643c748cd5d2000ed 7304 ruby-openid_2.9.2debian-1.debian.tar.xz 451b347a4fac93928fb55459bec6ccc49d60c6ac 12773 ruby-openid_2.9.2debian-1_amd64.buildinfo Checksums-Sha256: cd069d3efb8a623969260540e64aee5efc39b86b2f65a19f755f3e908841791a 2211 ruby-openid_2.9.2debian-1.dsc ef998d8138c5c1684b079d4bc4fa9635f20db39d1ec5de48dc9b4d3a1aa0f306 512584 ruby-openid_2.9.2debian.orig.tar.gz 2cbb561c8d1a526058dda1ce22ac9e93570da8762ab670318c1dca7088b41cd2 7304 ruby-openid_2.9.2debian-1.debian.tar.xz 51f74be965ce55c638090b867d6890fd12b394e627b6c1d532045cdb3b60fa27 12773 ruby-openid_2.9.2debian-1_amd64.buildinfo Files: a315cdd2b2a0df113b7930613df51b3a 2211 ruby optional ruby-openid_2.9.2debian-1.dsc 8710b819b77de9c7cce9adfc19866217 512584 ruby optional ruby-openid_2.9.2debian.orig.tar.gz 4538940ab9f7ebd09f993e41983ac82e 7304 ruby optional ruby-openid_2.9.2debian-1.debian.tar.xz 5c378bbaa0102e329619c33e5b57e730 12773 ruby optional ruby-openid_2.9.2debian-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJPBAEBCAA5FiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl3F94EbHGd1cHRhdXRr YXJzaDIxMDJAZ21haWwuY29tAAoJEII+lnYGw0uWUDoQAI7wAz+ZjARvKkFukVLv KxJT4JmsH8/HiewtJ5/5dCu4N15orLU/apUMp5B5SMY23EGrXKkcQ9g98Lm0v3gY 6uswp7HSf8GKfxBUBjnFQGSINrrGuqez4iG68jgnkW82YzqS824sLX37cyAomoJo BlLD02YjA9lxhRercpSNB/Idx8+39jXDsn5GMt3NylfZRqu0EYAqTg1T7K4FcEV0 jWKVU4z0z8xgVt4M/onacTG9MUZT1QcJKYaaOA1K24U3ADYyTEBrZPyuWMxRD1HV zYxp1D5/Cy3Stx9VVUJh7Zp3bxCbRW4E8/aNPK0MdO5KnRADbEJfPQC1EPyWAeJs cBIiIQo61hEGczSvsjnrrsVSemv87i0ZsqcEn53QTnnuVUmn9EnFR7ddy/HRQ2tg 6v0VE/AopgCkXCxI4VbXRfPVCMA/hHlea9iLlsgoFaYYayky4+QfrK+uTVbUpdSH X9BhJnpgnkdX8PRAgpWBTye7G6n5v+pPyU4ORy1ZOjAuErTOIFRWt2oLbdASXav9 zJsE9uS8f4+ACvt4qSWnoLGWWtvmxEGRD6i+ZHrFvH4JglOlEFSEIHYktZFLQOLx 6Zh6w715HyuFOAYEW4eO56Y61GfqnQk6fHD6ntLAha85A7kT4vh/Z+e1Xp8pJLMD Yh2ZzTx9H5pPjiuooM0dnRaq =7m2Z -----END PGP SIGNATURE-----
--- End Message ---
