Fedora has issued an advisory on August 24:
Fedora has a patch, and a link to the upstream commit to fix it in bugzilla:
Mageia 2 and Mageia 3 are also affected.
Steps to Reproduce:
php-pear-Auth_OpenID-2.2.2-1.mga2, php-pear-Auth_OpenID-2.2.2-1.mga3 and php-pear-Auth_OpenID-2.2.2-1.mga4 has been submitted where this is fixed.
Updated php-pear-Auth_OpenID packages fix security vulnerability:
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote
attackers to read arbitrary files, send HTTP requests to intranet servers, or
cause a denial of service (CPU and memory consumption) via XRDS data containing
an external entity declaration in conjunction with an entity reference, related
to an XML External Entity (XXE) issue (CVE-2013-4701).
Updated packages in core/updates_testing:
As discussed with David Walser on irc, just testing that it installs cleanly.
Advisory 11147.adv committed to svn.
Someone from the sysadmin team please push 11147.adv to updates.