[DRE-maint] [Bug 1190491] Re: XML denial of service vulnerability

Christian Kuersteiner ckuerste at gmx.ch
Fri Jun 21 07:05:09 UTC 2013


Lucid debdiff.

Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity and verifying via second instance worked without a problem.

** Patch added: "lp1190491-lucid.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+attachment/3708618/+files/lp1190491-lucid.debdiff

-- 
You received this bug notification because you are subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1190491

Title:
  XML denial of service vulnerability

Status in “libopenid-ruby” package in Ubuntu:
  Invalid
Status in “ruby-openid” package in Ubuntu:
  Fix Released
Status in “libopenid-ruby” source package in Lucid:
  Confirmed
Status in “ruby-openid” source package in Lucid:
  Invalid
Status in “libopenid-ruby” source package in Precise:
  Confirmed
Status in “ruby-openid” source package in Precise:
  Invalid
Status in “libopenid-ruby” source package in Quantal:
  Invalid
Status in “ruby-openid” source package in Quantal:
  Confirmed
Status in “libopenid-ruby” source package in Raring:
  Invalid
Status in “ruby-openid” source package in Raring:
  Fix Released
Status in “libopenid-ruby” source package in Saucy:
  Invalid
Status in “ruby-openid” source package in Saucy:
  Fix Released

Bug description:
  libopenid-ruby is affected by a XML denial of service (Entity
  Expansion Attack / out of memory) attack.

  See: https://github.com/openid/ruby-openid/pull/43

  Patch:
  https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions





More information about the Pkg-ruby-extras-maintainers mailing list