[DRE-maint] [Bug 1190491] Re: XML denial of service vulnerability
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Jun 14 19:39:59 UTC 2013
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
** Also affects: ruby-openid (Ubuntu)
Importance: Undecided
Status: New
** Also affects: libopenid-ruby (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: ruby-openid (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: libopenid-ruby (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: ruby-openid (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: libopenid-ruby (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: ruby-openid (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: libopenid-ruby (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: ruby-openid (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: libopenid-ruby (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: ruby-openid (Ubuntu Raring)
Importance: Undecided
Status: New
** Changed in: ruby-openid (Ubuntu Lucid)
Status: New => Invalid
** Changed in: ruby-openid (Ubuntu Precise)
Status: New => Invalid
** Changed in: ruby-openid (Ubuntu Raring)
Status: New => Fix Released
** Changed in: ruby-openid (Ubuntu Saucy)
Status: New => Fix Released
** Changed in: ruby-openid (Ubuntu Quantal)
Importance: Undecided => Medium
** Changed in: ruby-openid (Ubuntu Quantal)
Status: New => Confirmed
** Changed in: libopenid-ruby (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: libopenid-ruby (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: libopenid-ruby (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: libopenid-ruby (Ubuntu Precise)
Status: New => Confirmed
** Changed in: libopenid-ruby (Ubuntu Quantal)
Status: New => Invalid
** Changed in: libopenid-ruby (Ubuntu Raring)
Status: New => Invalid
** Changed in: libopenid-ruby (Ubuntu Saucy)
Status: New => Invalid
** Changed in: libopenid-ruby (Ubuntu)
Status: Invalid => Incomplete
** Changed in: ruby-openid (Ubuntu)
Status: Fix Released => Incomplete
** Changed in: libopenid-ruby (Ubuntu Lucid)
Status: Confirmed => Incomplete
** Changed in: ruby-openid (Ubuntu Lucid)
Status: Invalid => Incomplete
** Changed in: libopenid-ruby (Ubuntu Precise)
Status: Confirmed => Incomplete
** Changed in: ruby-openid (Ubuntu Precise)
Status: Invalid => Incomplete
** Changed in: libopenid-ruby (Ubuntu Quantal)
Status: Invalid => Incomplete
** Changed in: ruby-openid (Ubuntu Quantal)
Status: Confirmed => Incomplete
** Changed in: libopenid-ruby (Ubuntu Raring)
Status: Invalid => Incomplete
** Changed in: ruby-openid (Ubuntu Raring)
Status: Fix Released => Incomplete
** Changed in: libopenid-ruby (Ubuntu Lucid)
Status: Incomplete => Confirmed
** Changed in: libopenid-ruby (Ubuntu Precise)
Status: Incomplete => Confirmed
** Changed in: libopenid-ruby (Ubuntu Quantal)
Status: Incomplete => Invalid
** Changed in: libopenid-ruby (Ubuntu Raring)
Status: Incomplete => Invalid
** Changed in: libopenid-ruby (Ubuntu Saucy)
Status: Incomplete => Invalid
** Changed in: ruby-openid (Ubuntu Lucid)
Status: Incomplete => Invalid
** Changed in: ruby-openid (Ubuntu Precise)
Status: Incomplete => Invalid
** Changed in: ruby-openid (Ubuntu Quantal)
Status: Incomplete => Confirmed
** Changed in: ruby-openid (Ubuntu Raring)
Status: Incomplete => Fix Released
** Changed in: ruby-openid (Ubuntu Saucy)
Status: Incomplete => Fix Released
--
You received this bug notification because you are subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1190491
Title:
XML denial of service vulnerability
Status in “libopenid-ruby” package in Ubuntu:
Invalid
Status in “ruby-openid” package in Ubuntu:
Fix Released
Status in “libopenid-ruby” source package in Lucid:
Confirmed
Status in “ruby-openid” source package in Lucid:
Invalid
Status in “libopenid-ruby” source package in Precise:
Confirmed
Status in “ruby-openid” source package in Precise:
Invalid
Status in “libopenid-ruby” source package in Quantal:
Invalid
Status in “ruby-openid” source package in Quantal:
Confirmed
Status in “libopenid-ruby” source package in Raring:
Invalid
Status in “ruby-openid” source package in Raring:
Fix Released
Status in “libopenid-ruby” source package in Saucy:
Invalid
Status in “ruby-openid” source package in Saucy:
Fix Released
Bug description:
libopenid-ruby is affected by a XML denial of service (Entity
Expansion Attack / out of memory) attack.
See: https://github.com/openid/ruby-openid/pull/43
Patch:
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions
More information about the Pkg-ruby-extras-maintainers
mailing list