Debian LTS Advisory ([SECURITY] [DLA 1956-1] ruby-openid security update)

Published: 2019-10-12 02:00:06
CVE Author: NIST National Vulnerability Database

CVSS Base Vector:

The remote host is missing an update for the 'ruby-openid' Linux Distribution Package(s) announced via the DSA-1956-1 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server not publicly accessible. Furthermore, if the client that uses this library discloses connection errors, this in turn could disclose information from the private server to the attacker.

Affected Versions:
'ruby-openid' Linux Distribution Package(s) on Debian Linux.

For Debian 8 'Jessie', this problem has been fixed in version 2.5.0debian-1+deb8u1. We recommend that you upgrade your ruby-openid Linux Distribution Packages.

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

CVE Analysis


CVSS Score
Debian Local Security Checks

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.