First published: Tue Mar 05 2013(Updated: )
A denial of service flaw was found in the way ruby-openid, a library for verifying and serving OpenID identities, performed processing of certain XML files. An OpenID provider could provide a specially-crafted XML file that, when processed would lead to excessive CPU consumption (denial of service). References: [1] <a href="https://github.com/openid/ruby-openid/pull/43">https://github.com/openid/ruby-openid/pull/43</a> [2] <a href="https://bugzilla.novell.com/show_bug.cgi?id=804717">https://bugzilla.novell.com/show_bug.cgi?id=804717</a> [3] <a href="http://www.openwall.com/lists/oss-security/2013/03/01/5">http://www.openwall.com/lists/oss-security/2013/03/01/5</a> [4] <a href="http://www.openwall.com/lists/oss-security/2013/03/03/8">http://www.openwall.com/lists/oss-security/2013/03/03/8</a> Relevant upstream patch: [5] <a href="https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed">https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fedoraproject Fedora | =17 | |
Fedoraproject Fedora | =18 | |
Janrain Ruby-openid | <=2.2.1 | |
Janrain Ruby-openid | =2.2.0 | |
rubygems/ruby-openid | <2.2.2 | 2.2.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.