Debian LTS Advisory ([SECURITY] [DLA 1956-1] ruby-openid security update)

Published: 2019-10-12 02:00:06
CVE Author: NIST National Vulnerability Database

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary:
The remote host is missing an update for the 'ruby-openid' Linux Distribution Package(s) announced via the DSA-1956-1 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server not publicly accessible. Furthermore, if the client that uses this library discloses connection errors, this in turn could disclose information from the private server to the attacker.

Affected Versions:
'ruby-openid' Linux Distribution Package(s) on Debian Linux.

Recommendations:
For Debian 8 'Jessie', this problem has been fixed in version 2.5.0debian-1+deb8u1. We recommend that you upgrade your ruby-openid Linux Distribution Packages.

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2019-11027

CVE Analysis

https://www.mageni.net/cve/CVE-2019-11027

References:

https://lists.debian.org/debian-lts-announce/2019/10/msg00014.html
https://security-tracker.debian.org/tracker/DLA-1956-1

Severity
High
CVSS Score
10.0
Published
2019-10-12
Modified
2019-10-12
Category
Debian Local Security Checks

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.