[security] Security issue with ruby-openid library

Chris setenforce1 at gmail.com
Sat Mar 2 17:19:09 UTC 2019 

Thanks Nat, I reached out via email to who I believe is the project
maintainer yesterday.

Cheers,

Chris

On Fri, Mar 1, 2019, 11:27 PM n-sakimura <n-sakimura at nri.co.jp> wrote:

> Chris,
>
> Thanks for reaching out. Sorry that I could not respond earlier.
> I was flying from Tokyo to San Francisco.
>
> I will let the secretariat know about it so that they can act accordingly.
>
> In the mean time, if you could use your own path to get in touch with the
> author of the gem, it would be great as well as it is over the weekend in
> the U.S.
>
> Additionally, I will Bering it up in the board meeting to make our process
> more effective on these things.
>
> Best,
>
> Nat Sakimura
> Chairmen of the board
> OpenID Foundation
>
> ------------------------------
> *差出人:* security <openid-security-bounces at lists.openid.net> (Chris <
> setenforce1 at gmail.com> の代理)
> *送信日時:* 水曜日, 2月 27, 2019 9:09 午前
> *宛先:* openid-security at lists.openid.net
> *件名:* [security] Security issue with ruby-openid library
>
> openid-security mailing list:
>
> I have discovered a remotely exploitable weakness in the ruby-openid
> library that Rails web applications use to integrate with OpenID
> Providers.  Severity can range from medium to critical, depending on how a
> web application developer chose to implement the ruby-openid library.
> Developers who based their OpenID integration heavily on the "example app"
> provided by the project are at highest risk.
>
> I hesitate to provide too much detail publicly, as I would prefer to
> responsibly report the details of this issue privately, to ensure that the
> OpenID community has time to confirm my findings, implement appropriate
> code changes, and communicate effectively with affected developers.
>
> Can one of the main admins on the list please suggest a viable approach?
> One of the primary maintainers of the ruby-openid project could contact me
> directly (reply to this email?), or I could be provided with a short list
> of maintainers to contact.
>
> Thank you
> -
> Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20190302/c610436a/attachment.html>

More information about the security mailing list