[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

On 10/10/19 11:23 am, Brian May wrote:
> Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
>> Just a quick question about this patch since I haven't really tested
>> this at all (however aware of the CVE),
>> Is checking signature before sending a request to openid.claimed_id URL
>> strict enough?
> Yes, that is my understanding. If the signature is checked, that makes
> it impossible for a third party to change the claimed_id URL, rendering
> the attack impossible.
> I don't claim to be an expert on this however.

I had a few pointers, but since this is already uploaded, I'll raise
this in upstream first and then get back if needed.
Thank you for taking care of this.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: