Question concerning CVE-2019-11027

[rfrohl]

Hi,
I have a question concerning the recent CVE [0]. Could you provide some background which version/commit fixes the issue? Rubygems [1] only shows version 2.7.0. Was version 2.8.0 pulled because of the CVE or was 2.8 just not uploaded by accident ?

Thanks!

[0] https://nvd.nist.gov/vuln/detail/CVE-2019-11027
[1] https://rubygems.org/gems/ruby-openid

[tushar-gandhi]

We are also facing same issue. Any update on this?

[jrbyam]

Same here. Has anyone managed to find a workaround to this issue?

[ff-cviradiya]

Hi @tobiashm, this vulnerability is being flagged by security scanners. Github is also flagging this. Please let us know the plan to fix this or is there any workaround we can apply meanwhile?

[lamby]

The complete list of commits between 2.7.0 and 2.8.0 are available here:

v2.7.0...v2.8.0

.. yet none look relevant from my quick glance. Anyone else?

[lamby]

I've even looked further back in history with no luck. Can someone else have a look too? Perhaps I'm missing something...

[lamby]

I had another look but am still a bit stumped... @tobiashm , can you help here? :)

[tobiashm]

The reason v2.8.0 is not on RubyGems is that I haven't been able to contact any of the people who have access to push there :(
So if you want to use the latest version, you have to reference it on GitHub.

I will try to look into the security issue soon. Any help is much appreciated :)

[lamby]

Hm, sorry for the confusion but my question here isn't actually about RubyGems but rather I cannot find the relevant commit that fixes this CVE in this Git repository. What am I missing? :)

[tobiashm]

@lamby The part about RubyGems was in reply to the initial post by @rfrohl as clarification.

I have read the linked CVE, but can't really figure out what the vulnerability is supposed to be?

[lamby]

I have read the linked CVE, but can't really figure out what the vulnerability is supposed to be?

Mmm, exactly! To clarify on my end, I thought it was released in 2.8.0 and — as this repo contains a 2.8.0 tag — then the fix would be in here somewhere... :)

[marutosi]

Does not 2.7 have vulnerability?

[lamby]

That's my point - I thought 2.7.0 was vulnerable but 2.8.0 contains the fix. Thus the commit fixing the issue would be in the diff between the two, but that does not appear to be the case. So I am missing something fundamental. :)

[tobiashm]

Okay, I understand the confusion.

Short answer: There are currently no version that contains a fix.

Slightly longer: This is due to uncertainty about what the vulnerability actually is! The linked CVE does not contain any concrete information, so I am basically unaware of what would need fixing.
I have written to the person who made the report, and will post an update when I know more.

[tobiashm]

On a side note: The security notification here on GitHub is related to the example Rails app, due to it being based on a very old version of Rails.
It has no relation to CVE-2019-11027

[lamby]

I have written to the person who made the report, and will post an update when I know more.

Anything more? :)