[SECURITY] [DLA 3494-1] ruby-doorkeeper security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3494-1] ruby-doorkeeper security update
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 12 Jul 2023 14:13:40 +0100
Message-id: <[🔎] 168916671611.233313.12497134726466222313@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3494-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
July 12, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby-doorkeeper
Version        : 4.4.2-1+deb10u1
CVE ID         : CVE-2023-34246
Debian Bug     : 1038950

It was discovered that there was an issue in ruby-doorkeeper, a
OAuth2 provider for Ruby on Rails applications. Doorkeeper
automatically processed authorization requests without user consent
for public clients that have been previously approved, but public
clients are inherently vulnerable to impersonation as their identity
cannot be assured.

For Debian 10 buster, this problem has been fixed in version
4.4.2-1+deb10u1.

We recommend that you upgrade your ruby-doorkeeper packages.

For the detailed security status of ruby-doorkeeper please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-doorkeeper

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmSuo3oACgkQHpU+J9Qx
Hlix3g//YOh1bGBfnpEeeijsJZpoc0FVLDQP+OcdXnScaZEgtuUTQyQmHShV2Tny
ywgo4YTBvZEl6n9ZNqRspRr3AZapOXnccuho2TqtwQw71UOYXCrvXVt0wDK7k1VW
NsRBsugiCfGqURnryF9DjCSX2Dt4q6pUQFcbq0sj+285nw1Tzpf8dBVYjV6slyGu
n1IdsUk6WfHAtXs4krfv4UVzHQqqbdWZ7suv3xsXlrVXuFz7dxk9eXoF5bwyhYKu
V+F+HdloLGXy6dc3tFgHX6sr/rk2ALPMh0XaWRUEeAVEwRYaz5WSg/nJp74a6JSZ
TO9azjeN9ZSDSRi139T1g79U1I3InXf6WWOfj1q6UvV3l16a7eM36UyIblBoNS81
PsLlPONBHprSZq0uorna42Er8uJWt6ZqyOg+PnMRIVHQFgbA58TOuXZzS71Eng1d
Vyvr/y1+VPG3oo5imejTqFPUc7QupCfJukTNMHwsjoWVqgUx0qJXO5VCpbztfY5f
JAcLTQZYRlJwEQ9k36SNNDO49rH+x6iG5mzpJYQnHN2kTId1FZx433XKlgywGxys
MH/2iM+JJyF2pWqolGIi0VELiKriVCxQ7cUKmNXSQ93pa95GmC/EPj1to4LvoPLX
Q/M1gPsJEhcinJQYDKCjzOr8kBBsRAfYPpAGLk2oc/i31aymhtM=
=P9Fv
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3490-1] thunderbird security update
Next by Date: [SECURITY] [DLA 3495-1] php-dompdf security update
Previous by thread: [SECURITY] [DLA 3490-1] thunderbird security update
Next by thread: [SECURITY] [DLA 3495-1] php-dompdf security update
Index(es):
- Date
- Thread