Name | CVE-2019-11027 |
Description | Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1956-1 |
Debian Bugs | 930388 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
ruby-openid (PTS) | buster | 2.7.0debian-1 | vulnerable |
bullseye | 2.9.2debian-1 | fixed | |
bookworm | 2.9.2debian-2 | fixed | |
sid, trixie | 2.9.2debian-3 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
ruby-openid | source | jessie | 2.5.0debian-1+deb8u1 | DLA-1956-1 | ||
ruby-openid | source | (unstable) | 2.9.2debian-1 | 930388 |
[buster] - ruby-openid <no-dsa> (Minor issue)
[stretch] - ruby-openid <no-dsa> (Minor issue)
https://github.com/openid/ruby-openid/issues/122
https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
https://github.com/openid/ruby-openid/commit/8a4c31a6740a949cdc29d956c276ba3c4021dfa8
https://github.com/openid/ruby-openid/commit/f526132c6cb5d9195351c16ed36dced4ca3db496