Use constant-time string comparison for sigs

[anfedorov]

Fixed #12

[anfedorov]

@jasongoodwin can I get an ack you saw this / comment on what to do with it? would prefer not to branch / publish our own version but not having a timing attack seems important.

[anfedorov]

/poke @jasongoodwin

[jasongoodwin]

having a peak. sincerest apologies - started a new role and been neck deep in code.

[anfedorov]

No worries and thank you!​

[anfedorov]

@jasongoodwin please cut an updated release to mvn so folks can benefit from this fix

[anfedorov]

@jasongoodwin this vuln has been rated "critical" by NVD (source). please cut a new release.

[jasongoodwin]

I'll put it in my calendar for this eve! Sorry haven't been faster with responses

On Mon, May 14, 2018, 2:10 PM Andrey Fedorov notifications@github.com wrote:

@jasongoodwin https://github.com/jasongoodwin this vuln has been rated "critical" by NVD (source https://nvd.nist.gov/vuln/detail/CVE-2017-18239). please cut a new release.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jasongoodwin/authentikat-jwt/pull/36#issuecomment-388911317, or mute the thread https://github.com/notifications/unsubscribe-auth/ACtqLL2QXAaAjw8aFgg9WwhAJjfI-d2qks5tyciogaJpZM4QSOxr .

[anfedorov]

no worries, thanks, and looking forward to updating!

[jasongoodwin]

Hey I'm having some troubles with my pgp keys :( I nuked my sbt config. I'll give it a whirl tomorrow.

[anfedorov]

yeah, old keys do that sometimes. can you still deploy without them? let me know if I can help — haven't actually deployed anything to mvn but can help figure out specific questions if you have any?

[madhead]

I know it's quite of time passed, but are there any news on releasing 0.4.6?

[oloushkin-ah]

+

[sfc-gh-afedorov]

the release is a separate issue https://github.com/jasongoodwin/authentikat-jwt/issues/39