From ${URL} : ruby-openid is affected by a XML denial of service (Entity Expansion Attack / out of memory) attack as recently described. https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed https://github.com/openid/ruby-openid/pull/43 https://bugzilla.novell.com/show_bug.cgi?id=804717
We already have the fixed version of ruby-openid in the tree, so we can mark that stable: =dev-ruby/ruby-openid-2.2.2
amd64 stable
x86 stable
Ready for vote, I vote YES.
GLSA vote: yes. GLSA drafted and ready for review.
CVE-2013-1812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1812): The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
This issue was resolved and addressed in GLSA 201405-14 at http://security.gentoo.org/glsa/glsa-201405-14.xml by GLSA coordinator Sean Amoss (ackle).
