Security alert 0000003

The open-source OpenID and OAuth authentication libraries shipped with versions of StatusNet up through 0.9.3 are potentially vulnerable to timing attacks, which could be used to forge authentication tokens and thus access account data.

Fixes for the libraries are being worked on, and a release of StatusNet including fixed versions should be available shortly.

News

 * 13 July 2010 - Initial report from security researchers to openid-security list; more details to come at Black Hat presentation: http://lists.openid.net/pipermail/openid-security/2010-July/001156.html
 * 16 July 2010 - Story broken generally within tech community
 * 17 July 2010 - provisional patches submitted upstream; OpenID temporarily disabled on status.net hosted sites; notice posted here and to status.net blog.
 * 20 July 2010 - The above provisional patches are live on status.net hosted sites, and OpenID access has been restored. The fixes will be rolled into the upcoming 0.9.4 bugfix release, as our threat assessment leaves it pretty theoretical for now. The pre-patched libraries are available in StatusNet's development sources (master branch) for those who want to get a jump on it.

Workaround
While we believe the direct threat is low, disabling OpenID logins is a reasonable precaution. In StatusNet 0.9.x, the OpenID plugin is loaded by default and may be disabled by adding this line to config.php:

unset($config['plugins']['default']['OpenID']);

For older versions of StatusNet, add this config.php setting:

$config['openid']['enabled'] = false;

Fix
While waiting for final upstream fixes, you can try patching the copies of the libraries shipped in StatusNet's extlib subdirectory; however these provisional patches have not been formally reviewed and are at your own risk:


 * Provisional patch for php-openid
 * Provisional patch for OAuth