Hello, Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the security issues orignate from problems with the standard. Which likely means that all implementations are vulnerable.
As LTS developers, I don't think there is anything we can do with these issues, because we cannot break the known standard in a LTS release just to fix a security issue, as this would break applications that use this library. I don't yet fully understand this security vulnerability, however the researcher has recommended that detailed error messages be replaced by generic errors. While this doesn't solve the security issue, it makes it a little bit harder to exploit. So I guess this is something we could do. Although I am unclear how we should mark this change up in the security tracker... There are also some recommendations for application developers. However I don't see any applications in Debian/Jessie that depend on ruby-openid. So I don't think we can do anything with these recommendations. Presumably that means anybody who who needs this library, has installed it for locally installed applications. I see "find-work" has given ruby-openid a score of 2.35% It is also worth noting that there are other potential security issues with this library, e.g. see https://github.com/openid/ruby-openid/issues/98 Regards -- Brian May <b...@debian.org>
