Thanks Nat, I reached out via email to who I believe is the project maintainer yesterday.
Cheers, Chris On Fri, Mar 1, 2019, 11:27 PM n-sakimura <[email protected]> wrote: > Chris, > > Thanks for reaching out. Sorry that I could not respond earlier. > I was flying from Tokyo to San Francisco. > > I will let the secretariat know about it so that they can act accordingly. > > In the mean time, if you could use your own path to get in touch with the > author of the gem, it would be great as well as it is over the weekend in > the U.S. > > Additionally, I will Bering it up in the board meeting to make our process > more effective on these things. > > Best, > > Nat Sakimura > Chairmen of the board > OpenID Foundation > > ------------------------------ > *差出人:* security <[email protected]> (Chris < > [email protected]> の代理) > *送信日時:* 水曜日, 2月 27, 2019 9:09 午前 > *宛先:* [email protected] > *件名:* [security] Security issue with ruby-openid library > > openid-security mailing list: > > I have discovered a remotely exploitable weakness in the ruby-openid > library that Rails web applications use to integrate with OpenID > Providers. Severity can range from medium to critical, depending on how a > web application developer chose to implement the ruby-openid library. > Developers who based their OpenID integration heavily on the "example app" > provided by the project are at highest risk. > > I hesitate to provide too much detail publicly, as I would prefer to > responsibly report the details of this issue privately, to ensure that the > OpenID community has time to confirm my findings, implement appropriate > code changes, and communicate effectively with affected developers. > > Can one of the main admins on the list please suggest a viable approach? > One of the primary maintainers of the ruby-openid project could contact me > directly (reply to this email?), or I could be provided with a short list > of maintainers to contact. > > Thank you > - > Chris >
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
