Closed flavio-fernandes closed 2 years ago
flavio-fernandes
commented
3 years ago Hi @brunorijsman !
I did not check if/how this change breaks things, so please do not merge w/out some testing. Mostly wanted to bring this CVE issue to your attention.
codecov-commenter
commented
3 years ago Merging #105 (22be9d4) into master (124d0b2) will increase coverage by
0.03%. The diff coverage isn/a.
@@ Coverage Diff @@
## master #105 +/- ##
==========================================
+ Coverage 84.89% 84.93% +0.03%
==========================================
Files 37 37
Lines 9947 9947
==========================================
+ Hits 8445 8448 +3
+ Misses 1502 1499 -3 | Impacted Files | Coverage Δ | |
|---|---|---|
| rift/interface.py | 83.13% <0.00%> (+0.22%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 124d0b2...22be9d4. Read the comment docs.
Use newer rsa to address CVE-2020-13757 Vulnerable versions: < 4.1 Patched version: 4.1
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).