Please sign in to comment.
Maintenance: Applied required changes to resolve 'omniauth' CVE-2015-…
…9284 While Zammad was not affected it was using GET requests. These are now prohibited because they enable the attack vector (in other scenarios). Since it's not a general 'rails' or 'omnniauth' issue but an issue affecting scenarios where both are combined. It is required to use the 'omniauth-rails_csrf_protection' gem instead of 'omniauth' for those scenarios. More information can be found here: omniauth/omniauth#809 omniauth/omniauth#809 (comment) https://nvd.nist.gov/vuln/detail/CVE-2015-9284 https://github.com/cookpad/omniauth-rails_csrf_protection rubysec/ruby-advisory-db#390 (comment)
- Loading branch information...
Showing with 27 additions and 13 deletions.