New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use constant-time string comparison for sigs #36
Conversation
|
@jasongoodwin can I get an ack you saw this / comment on what to do with it? would prefer not to branch / publish our own version but not having a timing attack seems important. |
|
/poke @jasongoodwin |
|
having a peak. sincerest apologies - started a new role and been neck deep in code. |
|
No worries and thank you!
|
|
@jasongoodwin please cut an updated release to mvn so folks can benefit from this fix |
|
@jasongoodwin this vuln has been rated "critical" by NVD (source). please cut a new release. |
|
I'll put it in my calendar for this eve! Sorry haven't been faster with
responses
…On Mon, May 14, 2018, 2:10 PM Andrey Fedorov ***@***.***> wrote:
@jasongoodwin <https://github.com/jasongoodwin> this vuln has been rated
"critical" by NVD (source
<https://nvd.nist.gov/vuln/detail/CVE-2017-18239>). please cut a new
release.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACtqLL2QXAaAjw8aFgg9WwhAJjfI-d2qks5tyciogaJpZM4QSOxr>
.
|
|
no worries, thanks, and looking forward to updating! |
|
Hey I'm having some troubles with my pgp keys :( I nuked my sbt config. |
|
yeah, old keys do that sometimes. can you still deploy without them? let me know if I can help — haven't actually deployed anything to mvn but can help figure out specific questions if you have any? |
|
I know it's quite of time passed, but are there any news on releasing 0.4.6? |
|
|
|
the release is a separate issue #39 |
Fixed #12