Red Hat Bugzilla – Bug 918134
CVE-2013-1812 ruby-openid: Vulnerable to XIE DoS attacks
Last modified: 2015-07-31 02:59:30 EDT
A denial of service flaw was found in the way ruby-openid, a library for verifying and serving OpenID identities, performed processing of certain XML files. An OpenID provider could provide a specially-crafted XML file that, when processed would lead to excessive CPU consumption (denial of service).
Relevant upstream patch:
This issue affects the versions of the ruby-openid package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Created ruby-openid tracking bugs for this issue
Affects: fedora-all [bug 918135]
For the record, this was fixed upstream in version 2.2.2 of the ruby-openid gem. This package has been renamed to rubygem-ruby-openid. https://admin.fedoraproject.org/updates/rubygem-ruby-openid
rubygem-ruby-openid-2.3.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-ruby-openid-2.3.0-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.