Closed StephenRadachy closed 1 year ago
I don't think Kodiak is vulnerable to this issue because Kodiak doesn't symmetrically encrypt multi-GB values.
Regarding the timing attacks, I don't think that's an issue for us because we don't allow users to initiate connections to Kodiak, only GitHub
But like these other vulnerabilities, I'd welcome a PR to update the package.
We've upgraded to cryptography 3.4.6 with #826, so this issue is no longer valid
Upgrade cryptography-2.8: https://nvd.nist.gov/vuln/detail/CVE-2020-36242, https://nvd.nist.gov/vuln/detail/CVE-2020-25659