From ${URL} : Description A vulnerability has been reported in PHP OpenID, which can be exploited by malicious people to disclose certain sensitive information or cause a DoS (Denial of Service). The vulnerability is caused due to an error when parsing XML external entities within XRDS data and can be exploited to e.g. disclose information from local resources or consume excessive server resources. The vulnerability is reported in versions 2.2.2 and prior. Solution: Fixed in the git repository. Provided and/or discovered by: JVN credits Takeshi Terada, Mitsui Bussan Secure Directions, Inc. and Kosuke Ebihara Original Advisory: PHP OpenID: https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9 JVN (English): http://jvn.jp/en/jp/JVN24713981/index.html http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000080.html JVN (Japanese): http://jvn.jp/jp/JVN24713981/index.html http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-000080.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-4701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4701): Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
+*php-openid-2.2.3_pre20140423 (07 Oct 2014) + + 07 Oct 2014; <grknight@gentoo.org> +php-openid-2.2.3_pre20140423.ebuild, + -php-openid-2.2.2.ebuild: + Bump to github snapshot from 2014-04-23 for security bug 482140
Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions.
