[Bug 1190491] Re: XML denial of service vulnerability
** Changed in: ruby-openid (Ubuntu Quantal) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
This bug was fixed in the package libopenid-ruby - 2.1.8debian- 1ubuntu0.1 --- libopenid-ruby (2.1.8debian-1ubuntu0.1) precise-security; urgency=low * SECURITY UPDATE: XML denial of service attack (LP: #1190491) - debian/patches/02_CVE_2013_1812.patch: lib/openid/fetchers.rb, lib/openid/yadis/xrds.rb: limit fetching file size disable XML entity expansion. Based on upstream patch. - CVE-2013-1812 -- Christian Kuersteiner ckuer...@gmx.ch Mon, 24 Jun 2013 10:04:38 +0700 ** Changed in: libopenid-ruby (Ubuntu Precise) Status: Confirmed = Fix Released ** Changed in: libopenid-ruby (Ubuntu Lucid) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
This bug was fixed in the package libopenid-ruby - 2.1.7debian- 1ubuntu0.1 --- libopenid-ruby (2.1.7debian-1ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: XML denial of service attack (LP: #1190491) - debian/patches/CVE-2013-1812.patch: lib/openid/fetchers.rb, lib/openid/yadis/xrds.rb: limit fetching file size disable XML entity expansion. Based on upstream patch. - CVE-2013-1812 -- Christian Kuersteiner ckuer...@gmx.ch Thu, 20 Jun 2013 15:51:01 +0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
Thanks Christian! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
** Branch linked: lp:~ubuntu-branches/ubuntu/lucid/libopenid-ruby/lucid- security ** Branch linked: lp:~ubuntu-branches/ubuntu/precise/libopenid-ruby /precise-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
Quantal ruby-openid is already fixed through https://bugs.launchpad.net/ubuntu/+source/ruby-openid/+bug/1190179. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
Precise debdiff. Tests done: - Builds with pbuilder - can install and upgrade cleanly - Tested with examples/rails_openid: creation of new identity worked without a problem. I could not start the second server with 'script/server --port=3001'. The application didn't understand the port part. The behaviour was the same for the patched and unpatched version. ** Patch added: lp1190491-precise.debdiff https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+attachment/3711870/+files/lp1190491-precise.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
Lucid debdiff. Tests done: - Builds with pbuilder - can install and upgrade cleanly - Tested with examples/rails_openid: creation of new identity and verifying via second instance worked without a problem. ** Patch added: lp1190491-lucid.debdiff https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+attachment/3708618/+files/lp1190491-lucid.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Also affects: ruby-openid (Ubuntu) Importance: Undecided Status: New ** Also affects: libopenid-ruby (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: ruby-openid (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: libopenid-ruby (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: ruby-openid (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: libopenid-ruby (Ubuntu Saucy) Importance: Undecided Status: New ** Also affects: ruby-openid (Ubuntu Saucy) Importance: Undecided Status: New ** Also affects: libopenid-ruby (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: ruby-openid (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: libopenid-ruby (Ubuntu Raring) Importance: Undecided Status: New ** Also affects: ruby-openid (Ubuntu Raring) Importance: Undecided Status: New ** Changed in: ruby-openid (Ubuntu Lucid) Status: New = Invalid ** Changed in: ruby-openid (Ubuntu Precise) Status: New = Invalid ** Changed in: ruby-openid (Ubuntu Raring) Status: New = Fix Released ** Changed in: ruby-openid (Ubuntu Saucy) Status: New = Fix Released ** Changed in: ruby-openid (Ubuntu Quantal) Importance: Undecided = Medium ** Changed in: ruby-openid (Ubuntu Quantal) Status: New = Confirmed ** Changed in: libopenid-ruby (Ubuntu Lucid) Importance: Undecided = Medium ** Changed in: libopenid-ruby (Ubuntu Lucid) Status: New = Confirmed ** Changed in: libopenid-ruby (Ubuntu Precise) Importance: Undecided = Medium ** Changed in: libopenid-ruby (Ubuntu Precise) Status: New = Confirmed ** Changed in: libopenid-ruby (Ubuntu Quantal) Status: New = Invalid ** Changed in: libopenid-ruby (Ubuntu Raring) Status: New = Invalid ** Changed in: libopenid-ruby (Ubuntu Saucy) Status: New = Invalid ** Changed in: libopenid-ruby (Ubuntu) Status: Invalid = Incomplete ** Changed in: ruby-openid (Ubuntu) Status: Fix Released = Incomplete ** Changed in: libopenid-ruby (Ubuntu Lucid) Status: Confirmed = Incomplete ** Changed in: ruby-openid (Ubuntu Lucid) Status: Invalid = Incomplete ** Changed in: libopenid-ruby (Ubuntu Precise) Status: Confirmed = Incomplete ** Changed in: ruby-openid (Ubuntu Precise) Status: Invalid = Incomplete ** Changed in: libopenid-ruby (Ubuntu Quantal) Status: Invalid = Incomplete ** Changed in: ruby-openid (Ubuntu Quantal) Status: Confirmed = Incomplete ** Changed in: libopenid-ruby (Ubuntu Raring) Status: Invalid = Incomplete ** Changed in: ruby-openid (Ubuntu Raring) Status: Fix Released = Incomplete ** Changed in: libopenid-ruby (Ubuntu Lucid) Status: Incomplete = Confirmed ** Changed in: libopenid-ruby (Ubuntu Precise) Status: Incomplete = Confirmed ** Changed in: libopenid-ruby (Ubuntu Quantal) Status: Incomplete = Invalid ** Changed in: libopenid-ruby (Ubuntu Raring) Status: Incomplete = Invalid ** Changed in: libopenid-ruby (Ubuntu Saucy) Status: Incomplete = Invalid ** Changed in: ruby-openid (Ubuntu Lucid) Status: Incomplete = Invalid ** Changed in: ruby-openid (Ubuntu Precise) Status: Incomplete = Invalid ** Changed in: ruby-openid (Ubuntu Quantal) Status: Incomplete = Confirmed ** Changed in: ruby-openid (Ubuntu Raring) Status: Incomplete = Fix Released ** Changed in: ruby-openid (Ubuntu Saucy) Status: Incomplete = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
What's the relationship between this bug and bug https://bugs.launchpad.net/bugs/1190179 ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1190491] Re: XML denial of service vulnerability
It's the same vulnerability. As far as I see the package got renamed/moved from libopenid-ruby to ruby-openid on quantal. Since they are different packages I opened two bugs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1190491 Title: XML denial of service vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libopenid-ruby/+bug/1190491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs