Re: CVE request: rubygem omniauth-facebook CSRF vurnerability

[Josef Šimánek <josef.simanek () gmail com>]

Patch prepared to release:

https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7


2013/11/12 Josef Šimánek <josef.simanek () gmail com>

> # RubyGem omniauth-facebook CSRF vulnerability
>
> There is a security vulnerability in the CSRF protection of omniauth-facebook 1.4.1.
>
>     Versions affected: 1.4.1
>     Not affected:      <= 1.4.0 (*)
>     Fixed versions:    >= 1.5.0
>
> (*) Versions <= 1.4.0 did not have any CSRF protection. So, while this vulnerability does not directly affect 
> versions <= 1.4.0, downgrading to <= 1.4.0 is not a fix.
>
> ## Impact
>
> Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the 
> session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be 
> considered broken.
>
> If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by 
> using the session store) to use 1.5.0.
>
> All users running an affected release should upgrade to 1.5.0.
>
> ## Releases
>
> The 1.5.0 releases is available at the normal locations.
>
>
> ## Workarounds
>
> None.
>
> ## Credits
>
> Egor Homakov (@homakov)
>
>
> regardsJosef Šimánek