Skip to content

4.0.7

Choose a tag to compare

View all tags
@Spomky Spomky released this 06 Jun 18:08
· 28 commits to 4.2.x since this release
4.0.7
9d87800
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes for 4.0.7

Security patch release (4.0.x).

Brings the security fixes up from 3.4.x (#652):

  • PBES2-HS*+A*KW — bounded p2c (PBKDF2 iteration count) to prevent a CPU-amplification denial of service. (GHSA-3prj-6hqw-cm82)
  • ChaCha20-Poly1305 key encryption — Poly1305 authentication tag now emitted and verified. (GHSA-6vvh-pxr4-25r7)
  • RSA1_5 — constant-time implicit rejection (Bleichenbacher mitigation). (GHSA-5739-39v2-5754)
  • JWSalg read only from the integrity-protected header (algorithm-confusion mitigation). (GHSA-jc38-x7x8-2xc8)

Also included:

Contributors

Spomky
Assets 2
Loading