HI Chris, did somebody reach out to you already? Please either reach out to the maintainer of the gem yourself or tell me who you think should be contacted.
Kind regards Axel From: security <[email protected]> On Behalf Of Chris Sent: Mittwoch, 27. Februar 2019 01:09 To: [email protected] Subject: [security] Security issue with ruby-openid library openid-security mailing list: I have discovered a remotely exploitable weakness in the ruby-openid library that Rails web applications use to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to implement the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk. I hesitate to provide too much detail publicly, as I would prefer to responsibly report the details of this issue privately, to ensure that the OpenID community has time to confirm my findings, implement appropriate code changes, and communicate effectively with affected developers. Can one of the main admins on the list please suggest a viable approach? One of the primary maintainers of the ruby-openid project could contact me directly (reply to this email?), or I could be provided with a short list of maintainers to contact. Thank you - Chris
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
