Declared CVE-2016-11086 as minor issue since the problem is exploitable if /etc/ssl/certs/ca-certificates.crt does not exist. However this file normally exists since ruby-oath depends on ruby who in turn depend on ca-certificates package which generates this file. This means that in Debian this file always eists unless the admin has intentionally removed it. So the package is vulnerable but typically not in Debian. Updating this vulnerability could even cause a regression because some server admin may intentionally have removed this file to not check the certificate.

1 files changed, 11 insertions, 0 deletions

diff --git a/data/CVE/2016.list b/data/CVE/2016.list
index 9236bfb5d4..b53576c383 100644
--- a/data/CVE/2016.list
+++ b/data/CVE/2016.list
@@ -2,7 +2,18 @@ CVE-2016-15001
 	REJECTED
 CVE-2016-11086 (lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby doe ...)
 	- ruby-oauth <unfixed> (bug #970932)
+	[stretch] - ruby-oauth <no-dsa> (Minor issue)
 	NOTE: https://github.com/oauth-xx/oauth-ruby/issues/137
+	NOTE: For jessie it is declared as minor issue since the package that
+	NOTE: must exist is generated by ca-certificates package and
+	NOTE: ca-certificates in the package dependency list. Hence even though
+	NOTE: the package is vulnerable the problem do not exist in Debian
+	NOTE: unless the admin has explicitly removed the file from the filesystem.
+	NOTE: Should probably be handled the same in other releases.
+	NOTE: Fixing this vulnerability can cause a regression in the case the
+	NOTE: admin has intentionally removed this file to not check certificates.
+	NOTE: It could therefore be considered as to be ignored but more should
+	NOTE: have an opinion about this before deciding that.
 CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...)
 	NOT-FOR-US: Wordpress plugin
 CVE-2016-11084 (An issue was discovered in Mattermost Server before 2.1.0. It allows X ...)