CVE-2016-11086

NameCVE-2016-11086
Descriptionlib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs970932

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-oauth (PTS)stretch0.4.7-3vulnerable
buster0.5.4-1vulnerable
bullseye, sid0.5.4-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-oauthsource(unstable)(unfixed)unimportant970932

Notes

https://github.com/oauth-xx/oauth-ruby/issues/137
Likely minor issue since the package that exist is generated by ca-certificates
package and ca-certificates in the package dependency list. Hence even though the
package is vulnerable the problem do not exist in Debian unless the admin has
explicitly removed the file from the filesystem.
Fixing this vulnerability can cause a regression in the case the
admin has intentionally removed this file to not check certificates.

Search for package or bug name: Reporting problems