[security] Security issue with ruby-openid library
Chris
setenforce1 at gmail.com
Fri Mar 1 22:11:00 UTC 2019
Axel, no contact yet. I will contact the gem maintainer directly.
Cheers
Chris
On Thu, Feb 28, 2019 at 12:25 AM <Axel.Nennker at telekom.de> wrote:
> HI Chris,
>
>
>
> did somebody reach out to you already?
>
> Please either reach out to the maintainer of the gem yourself or tell me
> who you think should be contacted.
>
>
>
> Kind regards
>
> Axel
>
>
>
> *From:* security <openid-security-bounces at lists.openid.net> *On Behalf Of
> *Chris
> *Sent:* Mittwoch, 27. Februar 2019 01:09
> *To:* openid-security at lists.openid.net
> *Subject:* [security] Security issue with ruby-openid library
>
>
>
> openid-security mailing list:
>
>
>
> I have discovered a remotely exploitable weakness in the ruby-openid
> library that Rails web applications use to integrate with OpenID
> Providers. Severity can range from medium to critical, depending on how a
> web application developer chose to implement the ruby-openid library.
> Developers who based their OpenID integration heavily on the "example app"
> provided by the project are at highest risk.
>
>
>
> I hesitate to provide too much detail publicly, as I would prefer to
> responsibly report the details of this issue privately, to ensure that the
> OpenID community has time to confirm my findings, implement appropriate
> code changes, and communicate effectively with affected developers.
>
>
>
> Can one of the main admins on the list please suggest a viable approach?
> One of the primary maintainers of the ruby-openid project could contact me
> directly (reply to this email?), or I could be provided with a short list
> of maintainers to contact.
>
>
>
> Thank you
>
> -
>
> Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20190301/7335dba6/attachment.html>
More information about the security
mailing list