Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 16 Nov 2011 17:02:19 -0700

On 11/16/2011 02:43 AM, David Jorm wrote:
It was found that openid4java was not checking that all Attribute Exchange (AX) information passed to it was signed. 
This is a security concern if AX is being used to receive information that an application only trusts the identity 
provider to assert.

Upstream advisory: http://openid.net/2011/05/05/attribute-exchange-security-alert/
Patch commit: http://code.google.com/p/openid4java/source/detail?r=661
Secunia advisory: http://secunia.com/advisories/44496/

Thanks
Please use CVE-2011-4314 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]