Hi Sylvain, hi all,
On Thu, 7 Nov, 2019, 3:19 PM Sylvain Beucler, wrote:
> Hi,
>
> On 06/11/2019 21:14, Utkarsh Gupta wrote:
> > On 06/11/19 11:47 am, Brian May wrote:
> >> Utkarsh Gupta writes:
> >>
> >>> I am not quite sure about what should we do here because the update
> (DLA
> >>> 1956-1)
Hi,
(Sylvain, please cc me if you want me to read something in any timely fashion)
On Thu, 07 Nov 2019, Sylvain Beucler wrote:
> Raphael, given that this package is low popcon and the vulnerability is
> fuzzy, do you know if the sponsor for this package would be willing to
> test fixes?
The spon
Hi,
On 06/11/2019 21:14, Utkarsh Gupta wrote:
> On 06/11/19 11:47 am, Brian May wrote:
>> Utkarsh Gupta writes:
>>
>>> I am not quite sure about what should we do here because the update (DLA
>>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>>> problems as reported in #
Hiya,
On 06/11/19 11:47 am, Brian May wrote:
> Utkarsh Gupta writes:
>
>> I am not quite sure about what should we do here because the update (DLA
>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>> problems as reported in #125.
>> Because for now, #121 + #126 = actual C
Utkarsh Gupta writes:
> I am not quite sure about what should we do here because the update (DLA
> 1956-1) doesn't quite fix the CVE completely and also brings some login
> problems as reported in #125.
> Because for now, #121 + #126 = actual CVE fix. But the login problem
> remains.
I guess we
Hi Brian,
On 11/10/19 5:02 pm, Utkarsh Gupta wrote:
> On 10/10/19 11:23 am, Brian May wrote:
>> Utkarsh Gupta writes:
>>
>>> Just a quick question about this patch since I haven't really tested
>>> this at all (however aware of the CVE),
>>> Is checking signature before sending a request to openi
On 10/10/19 11:23 am, Brian May wrote:
> Utkarsh Gupta writes:
>
>> Just a quick question about this patch since I haven't really tested
>> this at all (however aware of the CVE),
>> Is checking signature before sending a request to openid.claimed_id URL
>> strict enough?
> Yes, that is my unders
Utkarsh Gupta writes:
> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?
Yes, that is my understanding. If the signature is checked, that makes
Hi Brian,
On 09/10/19 11:52 am, Brian May wrote:
> My current understanding based on discussions in
> https://github.com/openid/ruby-openid/issues/122 is that the following
> patch should entirely fix this problem in ruby-openid.
>
> The discussion seems to be highly confused, and at times the rep
My current understanding based on discussions in
https://github.com/openid/ruby-openid/issues/122 is that the following
patch should entirely fix this problem in ruby-openid.
The discussion seems to be highly confused, and at times the reporter
seems to reject this as being insufficient, but witho
Hi
I think we should consider to mark this package unsupported.
// Ola
On Tue, 13 Aug 2019 at 00:20, Brian May wrote:
> Hello,
>
> Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the
> security issues orignate from problems with the standard. Which likely
> means that all im
Hello,
Looking at some security issues, e.g. ruby-openid, CVE-2019-11027, the
security issues orignate from problems with the standard. Which likely
means that all implementations are vulnerable.
As LTS developers, I don't think there is anything we can do with these
issues, because we cannot bre
12 matches
Mail list logo
