[DRE-maint] [Bug 1190491] Re: XML denial of service vulnerability
Christian Kuersteiner
ckuerste at gmx.ch
Mon Jun 24 03:13:43 UTC 2013
Precise debdiff.
Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity worked without a problem. I could not start the second server with 'script/server --port=3001'. The application didn't understand the port part. The behaviour was the same for the patched and unpatched version.
** Patch added: "lp1190491-precise.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+attachment/3711870/+files/lp1190491-precise.debdiff
--
You received this bug notification because you are subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1190491
Title:
XML denial of service vulnerability
Status in “libopenid-ruby” package in Ubuntu:
Invalid
Status in “ruby-openid” package in Ubuntu:
Fix Released
Status in “libopenid-ruby” source package in Lucid:
Confirmed
Status in “ruby-openid” source package in Lucid:
Invalid
Status in “libopenid-ruby” source package in Precise:
Confirmed
Status in “ruby-openid” source package in Precise:
Invalid
Status in “libopenid-ruby” source package in Quantal:
Invalid
Status in “ruby-openid” source package in Quantal:
Confirmed
Status in “libopenid-ruby” source package in Raring:
Invalid
Status in “ruby-openid” source package in Raring:
Fix Released
Status in “libopenid-ruby” source package in Saucy:
Invalid
Status in “ruby-openid” source package in Saucy:
Fix Released
Bug description:
libopenid-ruby is affected by a XML denial of service (Entity
Expansion Attack / out of memory) attack.
See: https://github.com/openid/ruby-openid/pull/43
Patch:
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions
More information about the Pkg-ruby-extras-maintainers
mailing list