Guardian Digital WebTool

oss-security November 2011 archive

Main Archive Page > Month Archives > oss-security archives

oss-security: Re: [oss-security] CVE Request: openid4java not pr

Re: [oss-security] CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information

From: Kurt Seifried <kseifried_at_nospam>
Date: Thu Nov 17 2011 - 00:02:19 GMT
To: oss-security@lists.openwall.com

On 11/16/2011 02:43 AM, David Jorm wrote:
> It was found that openid4java was not checking that all Attribute Exchange (AX) information passed to it was signed. This is a security concern if AX is being used to receive information that an application only trusts the identity provider to assert.
>
> Upstream advisory: http://openid.net/2011/05/05/attribute-exchange-security-alert/
> Patch commit: http://code.google.com/p/openid4java/source/detail?r=661
> Secunia advisory: http://secunia.com/advisories/44496/
>
> Thanks
Please use CVE-2011-4314 for this issue.

-- -Kurt Seifried / Red Hat Security Response Team

This message: [ Message body ]
Next message: Solar Designer: "Re: [oss-security] CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c"
Previous message: Solar Designer: "[oss-security] CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c"
In reply to: David Jorm: "[oss-security] CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]

© Copyright 2012 Guardian Digital, Inc. All Rights Reserved.