Axel, no contact yet. I will contact the gem maintainer directly. Cheers Chris
On Thu, Feb 28, 2019 at 12:25 AM <[email protected]> wrote: > HI Chris, > > > > did somebody reach out to you already? > > Please either reach out to the maintainer of the gem yourself or tell me > who you think should be contacted. > > > > Kind regards > > Axel > > > > *From:* security <[email protected]> *On Behalf Of > *Chris > *Sent:* Mittwoch, 27. Februar 2019 01:09 > *To:* [email protected] > *Subject:* [security] Security issue with ruby-openid library > > > > openid-security mailing list: > > > > I have discovered a remotely exploitable weakness in the ruby-openid > library that Rails web applications use to integrate with OpenID > Providers. Severity can range from medium to critical, depending on how a > web application developer chose to implement the ruby-openid library. > Developers who based their OpenID integration heavily on the "example app" > provided by the project are at highest risk. > > > > I hesitate to provide too much detail publicly, as I would prefer to > responsibly report the details of this issue privately, to ensure that the > OpenID community has time to confirm my findings, implement appropriate > code changes, and communicate effectively with affected developers. > > > > Can one of the main admins on the list please suggest a viable approach? > One of the primary maintainers of the ruby-openid project could contact me > directly (reply to this email?), or I could be provided with a short list > of maintainers to contact. > > > > Thank you > > - > > Chris >
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
