[security] Security issue with ruby-openid library
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Thu Feb 28 08:24:58 UTC 2019
HI Chris,
did somebody reach out to you already?
Please either reach out to the maintainer of the gem yourself or tell me who you think should be contacted.
Kind regards
Axel
From: security <openid-security-bounces at lists.openid.net> On Behalf Of Chris
Sent: Mittwoch, 27. Februar 2019 01:09
To: openid-security at lists.openid.net
Subject: [security] Security issue with ruby-openid library
openid-security mailing list:
I have discovered a remotely exploitable weakness in the ruby-openid library that Rails web applications use to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to implement the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
I hesitate to provide too much detail publicly, as I would prefer to responsibly report the details of this issue privately, to ensure that the OpenID community has time to confirm my findings, implement appropriate code changes, and communicate effectively with affected developers.
Can one of the main admins on the list please suggest a viable approach? One of the primary maintainers of the ruby-openid project could contact me directly (reply to this email?), or I could be provided with a short list of maintainers to contact.
Thank you
-
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20190228/5acd9ea8/attachment.html>
More information about the security
mailing list