CVE-2019-11027

NameCVE-2019-11027
DescriptionRuby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1956-1
NVD severityhigh
Debian Bugs930388

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-openid (PTS)jessie2.5.0debian-1vulnerable
jessie (security)2.5.0debian-1+deb8u1fixed
buster, stretch2.7.0debian-1vulnerable
bullseye, sid2.9.2debian-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-openidsource(unstable)2.9.2debian-1930388
ruby-openidsourcejessie2.5.0debian-1+deb8u1DLA-1956-1

Notes

[buster] - ruby-openid <no-dsa> (Minor issue)
[stretch] - ruby-openid <no-dsa> (Minor issue)
https://github.com/openid/ruby-openid/issues/122
https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
https://github.com/openid/ruby-openid/commit/8a4c31a6740a949cdc29d956c276ba3c4021dfa8
https://github.com/openid/ruby-openid/commit/f526132c6cb5d9195351c16ed36dced4ca3db496

Search for package or bug name: Reporting problems