-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue reported by our security team #3304
Comments
Hi, @kalyanAsadi Thanks for reporting it.
|
MD5 is removed in AWS SDK 2.20.0
Security team is saying these are MD5 and SHA1 are *weak hashing algorithms
*needs to be updated by latest ones.
strlen, memcpy are also deprecated.
…On Wed, Dec 16, 2020 at 12:07 AM RuiGuo ***@***.***> wrote:
@kalyanAsadi <https://github.com/kalyanAsadi>
- I do see apis like CC_MD5 and CC_SHA1_Init still being used, do you
mean these two apis?
- I can see that strncpy
<https://developer.apple.com/documentation/kernel/1579331-strncpy> is
marked as deprecated by Apple, but not for strlen
<https://developer.apple.com/documentation/kernel/1579342-strlen> and
memcpy
<https://developer.apple.com/documentation/kernel/1579338-memcpy> Can
you provide more info or context on this one?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3304 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADU4EUYGJK3524NNMEZSPTDSU6UIBANCNFSM4U4LLI7Q>
.
--
Thanks & Regards
*A.N.KALYAN*
Sr.iPhone Developer
+91-9000483569
|
One more thing to mention. But its not getting updating to latest 2.20.0 instead its giving 2.19.1 |
@kalyanAsadi Regarding your Pod issue: You have specified your project requires the deprecated Please remove the |
Thanks for the answer. |
Thank you for reporting your concerns. We have addressed each of them below. Weak hashing algorithms
C API usage These usages do not represent a security issue. |
We've posted #3345 to update the IoT digest algorithm to SHA256 |
We have released this patch on https://github.com/aws-amplify/aws-sdk-ios/releases/tag/2.21.1. Please let us know if you have any further questions. |
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems. |
Use of weak hashing algorithm
Usage banned / deprecated functions
AWSCognitoIdentityUserpool, AWSCognitoIdentityASF, AWSEXTRuntimeExtensions are using banned/deprecated functions like strlen, strncpy, memcpy.
AWSS3TransferManager uses MD5 algorithm
Environment(please complete the following information):**
Is there any way to update these deprecated functions in API to updated ones.
Please let me know if anything needed from my side
Thanks & Regards
A.N.Kalyan
Sr. iOS Developer
The text was updated successfully, but these errors were encountered: