New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vulnerability in v1.2.0 #274
Comments
Link to our Dependabot alert: https://github.com/CommE2E/comm/security/dependabot/76 |
@vdhanan: The link you provided above returns a 404 for me. Can you provide a new one, or one for the critical bug in rand_core? |
@kevinlewi sorry about that! here's a screenshot: |
And here's the CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27378 |
From https://nvd.nist.gov/vuln/detail/CVE-2021-27378 , From (including)0.6.0 | Up to (excluding)0.6.2 So it looks like rand_core v0.5 is unaffected. This also matches what I expected see on crates.io for the package, https://crates.io/crates/rand_core/versions (versions 0.6.0 and 0.6.1 were yanked, but 0.5.1 is still up) |
Closing as this is not a vulnerability (but feel free to reopen if you think there is more discussion to be had...!) |
Looks like dependabot was wrong! Sorry about that! |
opaque-ke 1.2.0
depends oncurve25519-dalek 3
, which in turn depends onrand_core 0.5.1
. This version ofrand_core
has a critical bug. I think we can fix this by patching v1.2 ofopaque-ke
to use the same version ofcurve25519-dalek
that is used on master. Thoughts?The text was updated successfully, but these errors were encountered: