Critical vulnerability in v1.2.0

[vdhanan]

opaque-ke 1.2.0 depends on curve25519-dalek 3, which in turn depends on rand_core 0.5.1. This version of rand_core has a critical bug. I think we can fix this by patching v1.2 of opaque-ke to use the same version of curve25519-dalek that is used on master. Thoughts?

[vdhanan]

Link to our Dependabot alert: https://github.com/CommE2E/comm/security/dependabot/76

[kevinlewi]

@vdhanan: The link you provided above returns a 404 for me. Can you provide a new one, or one for the critical bug in rand_core?

[vdhanan]

@kevinlewi sorry about that! here's a screenshot:

[vdhanan]

And here's the CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27378

[kevinlewi]

From https://nvd.nist.gov/vuln/detail/CVE-2021-27378 ,

From (including)0.6.0 | Up to (excluding)0.6.2

So it looks like rand_core v0.5 is unaffected. This also matches what I expected see on crates.io for the package, https://crates.io/crates/rand_core/versions (versions 0.6.0 and 0.6.1 were yanked, but 0.5.1 is still up)

[kevinlewi]

Closing as this is not a vulnerability (but feel free to reopen if you think there is more discussion to be had...!)

[vdhanan]

Looks like dependabot was wrong! Sorry about that!