Security update: OpenID, OAuth library issues
A potential security vulnerability was recently announced affecting many implementations of the OpenID and OAuth authentication protocols, including the open-source libraries used by StatusNet.
As a precaution, OpenID has been temporarily disabled on StatusNet cloud-hosted sites while we confirm the situation and get a proper fix installed. We recognize this may be an inconvenience to some users but prefer to err on the side of caution; OpenID should be re-enabled within a day or two at most to minimize disruption. OAuth access to the API is still enabled, which has a lower threat profile as private account settings and major administrator functions cannot be accessed this way.
As always we are doing our best to work with other open-source projects and are submitting our provisional fixes to the authors of the libraries we use; details and links to patches are below the fold.
Details for system administrators:
While we believe the direct threat is low, disabling OpenID logins is a reasonable precaution. In StatusNet 0.9.x, the OpenID plugin is loaded by default and may be disabled by adding this line to config.php:
For older versions of StatusNet, add this config.php setting:
$config['openid']['enabled'] = false;
If you are brave, you can try patching the copies of the libraries shipped in StatusNet's extlib subdirectory; however these provisional patches have not been formally reviewed and are at your own risk. If you wish to try this, they're linked below:
Details for developers: