Security update: OpenID, OAuth library issues

A potential security vulnerability was recently announced affecting many implementations of the OpenID and OAuth authentication protocols, including the open-source libraries used by StatusNet.

As a precaution, OpenID has been temporarily disabled on StatusNet cloud-hosted sites while we confirm the situation and get a proper fix installed. We recognize this may be an inconvenience to some users but prefer to err on the side of caution; OpenID should be re-enabled within a day or two at most to minimize disruption. OAuth access to the API is still enabled, which has a lower threat profile as private account settings and major administrator functions cannot be accessed this way.

As always we are doing our best to work with other open-source projects and are submitting our provisional fixes to the authors of the libraries we use; details and links to patches are below the fold.

Details for system administrators:

While we believe the direct threat is low, disabling OpenID logins is a reasonable precaution. In StatusNet 0.9.x, the OpenID plugin is loaded by default and may be disabled by adding this line to config.php:

    unset($config['plugins']['default']['OpenID']);

For older versions of StatusNet, add this config.php setting:

    $config['openid']['enabled'] = false;

If you are brave, you can try patching the copies of the libraries shipped in StatusNet's extlib subdirectory; however these provisional patches have not been formally reviewed and are at your own risk. If you wish to try this, they're linked below:

Details for developers:

• Original vulernability pre-announcement and recommendations
• Provisional patch for php-openid
• Provisional patch for OAuth