CVE-2013-1812
Published: 12 December 2013
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libopenid-ruby Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(2.1.7debian-1ubuntu0.1)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Released
(2.1.8debian-1ubuntu0.1)
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Released
(2.2.2)
|
|
|
ruby-openid Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Released
(2.1.8debian-5ubuntu0.1)
|
|
| raring |
Not vulnerable
(2.1.8debian-6)
|
|
| upstream |
Released
(2.1.8debian-6, 2.2.2)
|
|
|
Patches: upstream: https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed |
||