A security issue has been reported in mod_auth_openid, which can be exploited by malicious, local users to disclose sensitive information. The security issue is caused due to the application creating a database file (/tmp/mod_auth_openid.db) with insecure world-readable permissions. This can be exploited to disclose the openid sessions. The security issue is reported in versions prior to 0.7. Reproducible: Always
From secunia security advisory at $URL
Version 0.8 is now in the tree. As no version of this package ever was stable no stabilization process is required here.
(In reply to Lars Wendler (Polynomial-C) from comment #2) > Version 0.8 is now in the tree. As no version of this package ever was > stable no stabilization process is required here. Thank you. Please drop 0.6 and then we can get this bug closed up.
Maintainer(s), please drop the vulnerable version(s). Thank you!
Maintainer timeout, cleanup done, closing noglsa.