[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openid-security
Subject:    Re: [security] Security issue with ruby-openid library
From:       Chris <setenforce1 () gmail ! com>
Date:       2019-03-02 17:19:09
Message-ID: CADRwfSLLaVAGDZ72fF05Xh_eSqakeYHiKaMQY3yvd+S+i3DaQQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks Nat, I reached out via email to who I believe is the project
maintainer yesterday.

Cheers,

Chris

On Fri, Mar 1, 2019, 11:27 PM n-sakimura <n-sakimura@nri.co.jp> wrote:

> Chris,
>
> Thanks for reaching out. Sorry that I could not respond earlier.
> I was flying from Tokyo to San Francisco.
>
> I will let the secretariat know about it so that they can act accordingly=
.
>
> In the mean time, if you could use your own path to get in touch with the
> author of the gem, it would be great as well as it is over the weekend in
> the U.S.
>
> Additionally, I will Bering it up in the board meeting to make our proces=
s
> more effective on these things.
>
> Best,
>
> Nat Sakimura
> Chairmen of the board
> OpenID Foundation
>
> ------------------------------
> *=E5=B7=AE=E5=87=BA=E4=BA=BA:* security <openid-security-bounces@lists.op=
enid.net> (Chris <
> setenforce1@gmail.com> =E3=81=AE=E4=BB=A3=E7=90=86)
> *=E9=80=81=E4=BF=A1=E6=97=A5=E6=99=82:* =E6=B0=B4=E6=9B=9C=E6=97=A5, 2=E6=
=9C=88 27, 2019 9:09 =E5=8D=88=E5=89=8D
> *=E5=AE=9B=E5=85=88:* openid-security@lists.openid.net
> *=E4=BB=B6=E5=90=8D:* [security] Security issue with ruby-openid library
>
> openid-security mailing list:
>
> I have discovered a remotely exploitable weakness in the ruby-openid
> library that Rails web applications use to integrate with OpenID
> Providers.  Severity can range from medium to critical, depending on how =
a
> web application developer chose to implement the ruby-openid library.
> Developers who based their OpenID integration heavily on the "example app=
"
> provided by the project are at highest risk.
>
> I hesitate to provide too much detail publicly, as I would prefer to
> responsibly report the details of this issue privately, to ensure that th=
e
> OpenID community has time to confirm my findings, implement appropriate
> code changes, and communicate effectively with affected developers.
>
> Can one of the main admins on the list please suggest a viable approach?
> One of the primary maintainers of the ruby-openid project could contact m=
e
> directly (reply to this email?), or I could be provided with a short list
> of maintainers to contact.
>
> Thank you
> -
> Chris
>

[Attachment #5 (text/html)]

<div dir="auto"><div>Thanks Nat, I reached out via email to who I believe is the \
project maintainer yesterday.</div><div dir="auto"><br></div><div \
dir="auto">Cheers,</div><div dir="auto"><br></div><div dir="auto">Chris<br><br><div \
class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Mar 1, 2019, \
11:27 PM n-sakimura &lt;<a \
href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">





<div>
<div style="direction:ltr">
<div>
<div>
<div style="direction:ltr">Chris,  </div>
<div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Thanks for reaching out. Sorry that I could not respond \
earlier.  </div> <div style="direction:ltr">I was flying from Tokyo to San Francisco. \
</div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">I will let the secretariat know about it so that they can \
act accordingly.  </div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">In the mean time, if you could use your own path to get in \
touch with the author of the gem, it would be great as well as it is over the weekend \
in the U.S.  </div> <div><br>
</div>
<div style="direction:ltr"></div>
<div>Additionally, I will Bering it up in the board meeting to make our process more \
effective on these things.  </div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Best,  </div>
<div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Nat Sakimura</div>
<div style="direction:ltr">Chairmen of the board</div>
<div style="direction:ltr">OpenID Foundation  </div>
</div>
</div>
<div>  </div>
<hr style="display:inline-block;width:98%">
<div id="m_-5598907359425363069divRplyFwdMsg" dir="dir=&quot;ltr&quot;"><font \
face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>差出人:</b> \
security &lt;<a href="mailto:openid-security-bounces@lists.openid.net" \
target="_blank" rel="noreferrer">openid-security-bounces@lists.openid.net</a>&gt; \
(Chris &lt;<a href="mailto:setenforce1@gmail.com" target="_blank" \
rel="noreferrer">setenforce1@gmail.com</a>&gt; の代理)<br> <b>送信日時:</b> \
水曜日, 2月 27, 2019 9:09 午前<br> <b>宛先:</b> <a \
href="mailto:openid-security@lists.openid.net" target="_blank" \
rel="noreferrer">openid-security@lists.openid.net</a><br> <b>件名:</b> [security] \
Security issue with ruby-openid library <div>  </div>
</font></div>

<div dir="ltr">
<div dir="ltr">
<div>openid-security mailing list:</div>
<div><br>
</div>
<div>I have discovered a remotely exploitable weakness in the ruby-openid library \
that Rails web applications use to integrate with OpenID Providers.   Severity can \
range from medium to critical, depending on how a web application developer chose to \
implement  the ruby-openid library.   Developers who based their OpenID integration \
heavily on the &quot;example app&quot; provided by the project are at highest \
risk.</div> <div><br>
</div>
<div>I hesitate to provide too much detail publicly, as I would prefer to responsibly \
report the details of this issue privately, to ensure that the OpenID community has \
time to confirm my findings, implement appropriate code changes, and communicate \
effectively  with affected developers.</div>
<div><br>
</div>
<div>Can one of the main admins on the list please suggest a viable approach?   One \
of the primary maintainers of the ruby-openid project could contact me directly \
(reply to this email?), or I could be provided with a short list of maintainers to \
contact.</div> <div><br>
</div>
<div>Thank you</div>
<div>-</div>
<div>Chris</div>
</div>
</div>
</div>
</div>

</blockquote></div></div></div>



_______________________________________________
security mailing list
security@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-security


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic