Hi,
I'm unsure how to best report security vulnerabilities.
I have previously reported some of the vulnerabilities that I found to https://github.com/emz-hanauer/dart-cryptography , since this fork seems to be better maintained and I have tested against this version. (I.e. emz-hanauer#12 emz-hanauer#13 and emz-hanauer#14 ).
I'm assuming that the same issues also affect this version here as I have not seen any changes of the relevant code.
Especially the authentication issues with CTR and CBC modes require some coordination and planning, since probably the best way to go forward is to add proper authenticated encryption modes (e.g. the encryption modes defined in Section 5.1 of RFC 7518) and deprecating the broken ones.
Reporting is also a bit of a problem, since it is unclear how to report new issues without risking that reports/comments and fixes are spread out over two projects, potentially leading to additional issues.
Hi,
I'm unsure how to best report security vulnerabilities.
I have previously reported some of the vulnerabilities that I found to https://github.com/emz-hanauer/dart-cryptography , since this fork seems to be better maintained and I have tested against this version. (I.e. emz-hanauer#12 emz-hanauer#13 and emz-hanauer#14 ).
I'm assuming that the same issues also affect this version here as I have not seen any changes of the relevant code.
Especially the authentication issues with CTR and CBC modes require some coordination and planning, since probably the best way to go forward is to add proper authenticated encryption modes (e.g. the encryption modes defined in Section 5.1 of RFC 7518) and deprecating the broken ones.
Reporting is also a bit of a problem, since it is unclear how to report new issues without risking that reports/comments and fixes are spread out over two projects, potentially leading to additional issues.