Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update module github.com/cloudflare/circl to v1.3.3 [SECURITY] #32

Merged
merged 1 commit into from
May 19, 2023
Merged

deps: update module github.com/cloudflare/circl to v1.3.3 [SECURITY] #32

merged 1 commit into from
May 19, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 11, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/cloudflare/circl indirect patch v1.3.2 -> v1.3.3

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-1732

Impact

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret.

The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.

Patches

The fix was introduced in CIRCL v. 1.3.3

Release Notes

cloudflare/circl

v1.3.3: CIRCL v1.3.3

Compare Source

New Features

  • ASCON light-weight authenticated encryption.
  • Hybrid KEM for HPKE based on Kyber and X25519.
  • CIRCL can be compiled both as static and dynamic linking modes.

Security

  • Fixes error-handling on rand readers.

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.3.2...v1.3.3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@katexochen katexochen merged commit 5ebf0ad into main May 19, 2023
1 check passed
@katexochen katexochen deleted the renovate/go-github.com/cloudflare/circl-vulnerability branch May 19, 2023 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katexochen katexochen katexochen approved these changes

Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@katexochen