search

chdsbd / kodiak

🔮 A bot to automatically update and merge GitHub PRs
https://kodiakhq.com
GNU Affero General Public License v3.0
1.03k stars 65 forks source link

CVE-2020-36242 and CVE-2020-25659 #819

Closed StephenRadachy closed 1 year ago

StephenRadachy commented 2 years ago

Upgrade cryptography-2.8: https://nvd.nist.gov/vuln/detail/CVE-2020-36242, https://nvd.nist.gov/vuln/detail/CVE-2020-25659

chdsbd commented 2 years ago

I don't think Kodiak is vulnerable to this issue because Kodiak doesn't symmetrically encrypt multi-GB values.

Regarding the timing attacks, I don't think that's an issue for us because we don't allow users to initiate connections to Kodiak, only GitHub

But like these other vulnerabilities, I'd welcome a PR to update the package.

chdsbd commented 1 year ago

We've upgraded to cryptography 3.4.6 with #826, so this issue is no longer valid