diff options
| author | Ola Lundqvist <ola@inguza.com> | 2020-12-15 07:47:45 +0100 |
|---|---|---|
| committer | Ola Lundqvist <ola@inguza.com> | 2020-12-15 07:48:09 +0100 |
| commit | 07e80080f65a7772cf3696998c48a3dce2f20f1f (patch) | |
| tree | fef444cd9bf73f87f602a76b134fa83572814305 | |
| parent | c2e972f0c4d3860f6e6e57cd22aa66abfdbe2058 (diff) | |
Declared CVE-2016-11086 as minor issue since the problem is exploitable if /etc/ssl/certs/ca-certificates.crt does not exist. However this file normally exists since ruby-oath depends on ruby who in turn depend on ca-certificates package which generates this file. This means that in Debian this file always eists unless the admin has intentionally removed it. So the package is vulnerable but typically not in Debian. Updating this vulnerability could even cause a regression because some server admin may intentionally have removed this file to not check the certificate.
| -rw-r--r-- | data/CVE/2016.list | 11 | ||||
| -rw-r--r-- | data/dla-needed.txt | 2 |
2 files changed, 11 insertions, 2 deletions
diff --git a/data/CVE/2016.list b/data/CVE/2016.list index 9236bfb5d4..b53576c383 100644 --- a/data/CVE/2016.list +++ b/data/CVE/2016.list @@ -2,7 +2,18 @@ CVE-2016-15001 REJECTED CVE-2016-11086 (lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby doe ...) - ruby-oauth <unfixed> (bug #970932) + [stretch] - ruby-oauth <no-dsa> (Minor issue) NOTE: https://github.com/oauth-xx/oauth-ruby/issues/137 + NOTE: For jessie it is declared as minor issue since the package that + NOTE: must exist is generated by ca-certificates package and + NOTE: ca-certificates in the package dependency list. Hence even though + NOTE: the package is vulnerable the problem do not exist in Debian + NOTE: unless the admin has explicitly removed the file from the filesystem. + NOTE: Should probably be handled the same in other releases. + NOTE: Fixing this vulnerability can cause a regression in the case the + NOTE: admin has intentionally removed this file to not check certificates. + NOTE: It could therefore be considered as to be ignored but more should + NOTE: have an opinion about this before deciding that. CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...) NOT-FOR-US: Wordpress plugin CVE-2016-11084 (An issue was discovered in Mattermost Server before 2.1.0. It allows X ...) diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 2d4b2ca226..0e432aa178 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -148,8 +148,6 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -ruby-oauth --- shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) |