Open aramikm opened 2 months ago
Most were already fixed in master
, though curve25519-dalek-ng
that is a fork of curve25519-dalek
seems to have not received updates for years and not clear what useful changes you have on top of upstream and why it is still needed.
Description
Due to the recent timing variability issue discovered in https://rustsec.org/advisories/RUSTSEC-2024-0344, some libraries that are dependent on
curve25519-dalek
should be updated.It looks like there are 3 versions of
curve25519-dalek
being directly and non-direclty used in polkadot-sdk.curve25519-dalek v2.1.3 curve25519-dalek v3.2.0 curve25519-dalek v4.0.0
The patch for this issue is released in v4.1.3 and the direct dependency fix got merged into polkadot-sdk via this commit.
By looking into dependency tree there are still libraries such as
ed25519-zebra
,schnorrkel
,libp2p
and etc that are dependent on an older version of curve25519-dalek. All of these dependencies should get updates once the fix is incorporated into those crates and released.Acceptence Criterea