XML denial of service vulnerability

Debdiff for quantal.

Tests done:
- Builds with pbuilder.
- Can install and upgrade cleanly.

New debdiff to correctly set Maintainer in debian/control.

Thanks, patch looked good; I changed SECURITY-UPDATE to SECURITY UPDATE in the changelog (to make 'umt check' happy), and confirmed that at least the simple "require 'openid'" test functioned before and after the update. I wish we had a way to test this, however.

Can you figure out how to run the /usr/share/doc/ruby-openid/examples/rails_openid/ application that is provided? I never managed to get it to start despite my best flailing around. Thanks.

Finally I managed to run the rails_openid example. I created a new empty rails2 application with 'rails openid' and copied the relevant files from the example to the new application.
Like this I could start the example application and create a new identity. However I could not start the second server with 'script/server --port=3001'. The application didn't understand the port part. The behaviour was the same for the patched and unpatched version.
What do you think? Do we need some additional testing for this patch?

This bug was fixed in the package ruby-openid - 2.1.8debian-5ubuntu0.1

---------------
ruby-openid (2.1.8debian-5ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: XML denial of service attack (LP: #1190179)
    - debian/patches/02_CVE_2013_1812.patch: lib/openid/fetchers.rb,
      lib/openid/yadis/xrds.rb: limit fetching file size & disable XML entity
      expansion. Based on upstream patch.
    - CVE-2013-1812
 -- Christian Kuersteiner <email address hidden> Wed, 12 Jun 2013 16:37:06 +0700

Thanks for the additional testing; the patch looked reasonable, so making sure the package worked is likely sufficient; actually exploiting this vulnerability would be enough extra work that I think the effort would be better spent elsewhere.

Thanks Christian