-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service in latest version [1.2.3] #52
Comments
Confirmed. We're analyzing feasibility of a backward-compatible patch and will follow up with release schedule shortly. |
New format does not allocate any memory until HMAC check passes, which guards against untrusted input. All encryption components have been updated to use the new header, while preserving backward compatibility to decrypt messages encrypted with the old format. The decoding process for the old header has been hardened to impose reasonable limits on header fields: nonce sizes up to 255 bytes, key names up to 500 bytes. Fixes vt-middleware#52.
Resolved by #53. |
Hi, When is the fixed version planned to be released? and is there a plan to backport this patch to 1.1.x version? Thanks, |
I'm hoping for a release in the next week. Have you done any testing with the latest snapshot? |
1.2.4 has been released. |
Hi, Thanks for this open-source project. The project Cryptacular is vulnerable to CVE-2020-7226, for details see [1] This is mitigated in Cryptacular version 1.2.4 [2] Regards, Manjunath 1. https://nvd.nist.gov/vuln/detail/CVE-2020-7226 2. vt-middleware/cryptacular#52
Actual source code reference seems to be
|
right . and here
|
Please confirm if it is vulnerable.
Mitre id: CVE-2020-7226
Reporter: findneo
The text was updated successfully, but these errors were encountered: