Ubuntu
php-openid package

php-openid 2.0.0 has broken support for HMAC-SHA256

Bug #399244 reported by Martin von Gagern
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php-openid (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: php-openid

php-openid-2.0.0 does not correctly deal with associations of type HMAC-SHA256. The code only supports the generation of HMAC-SHA1 signatures, but it fails to reject attempts at a HMAC-SHA256 connection with an "unsupported-type" error code as http://openid.net/specs/openid-authentication-2_0.html#refuse_assoc requires. The result is that a php-openid-2.0.0 server on current stable (jaunty) or current LTS (hardy) will be considered invalid by e.g. a current ZendFramework client like the one employed by sourceforge.

This bug here might be contributing to bug #313703, although there might be more in that bug. The solution is probably the same, though: updating to 2.1.3 as available in karmic. It shouldn't be too difficult to backport this package to hardy and jaunty, and maybe to intrepid as well. Maybe the package from karmic can be taken as is.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.