| Name | CVE-2016-11086 |
| Description | lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 970932 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ruby-oauth (PTS) | jessie | 0.4.7-2 | vulnerable |
| stretch | 0.4.7-3 | vulnerable |
| buster | 0.5.4-1 | vulnerable |
| sid, trixie, bullseye, bookworm | 0.5.4-1.1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ruby-oauth | source | experimental | 0.5.6-1 | | | |
| ruby-oauth | source | jessie | (unfixed) | end-of-life | | |
| ruby-oauth | source | (unstable) | (unfixed) | unimportant | | 970932 |
Notes
https://github.com/oauth-xx/oauth-ruby/issues/137
Likely minor issue since the package that exist is generated by ca-certificates
package and ca-certificates in the package dependency list. Hence even though the
package is vulnerable the problem do not exist in Debian unless the admin has
explicitly removed the file from the filesystem.
Fixing this vulnerability can cause a regression in the case the
admin has intentionally removed this file to not check certificates.