Omniauth-auth0 - Vulnerability fix

scotts · January 18, 2021, 3:04pm

Hi

In your ruby gem that you maintain at omniauth-auth0 it makes use of a 3rd party library where a vulnerability fix has now been made to resolve CVE-2015-9284

As your the ruby gem ‘omniauth-auth0’ that you maintain makes use of the old version where the vulnerability is present and you provide a workaround by the way of using the ‘omniauth-rails_csrf_protection’ patch. Will you be updating your own gem so that it uses the new version of omniauth where the vulnerability is no longer present?

Further details of the vulnerability fix in omniauth can be seen at Release v2.0.0 · omniauth/omniauth · GitHub

Thanks
Scott

konrad.sopala · January 18, 2021, 3:20pm

Hey there @scotts!

Let me reach out to the responsible team to find more info about it. I’ll get back to you as soon as I have news to share!

konrad.sopala · January 19, 2021, 3:45pm

Hey Scott!

In this case it seems like it would be best if you can handle that directly with the repo maintainers, can you take that conversation via GitHub issue to talk directly with our repo maintainers? I think with me as a middleman it would only slow things down.

konrad.sopala · January 22, 2021, 1:01pm

Have you had a chance to open a GitHub issue in the meantime?

scotts · January 22, 2021, 1:09pm

Hi

I got a brief response at High Risk Vulnerability in Parent OmniAuth Library · Issue #82 · auth0/omniauth-auth0 · GitHub but it would be good to get an idea of time frames if that’s possible? (I don’t want to perform a good bit of testing to find a new version comes out the next day)

Thanks
Scott

konrad.sopala · January 22, 2021, 1:12pm

Unfortunately there is no public ETA for that as of now.

konrad.sopala · March 11, 2021, 11:58am

Closing this one, if I have any updates I’ll let you know!