Closed techport-om closed 8 months ago
Thanks for highlighting this issue. I'm already monitoring weekly vulnerability reports and plan to update the version in the next major release, unless an urgent need arises to expedite the process. The vulnerability, related to inputting keys of varying sizes, should be mitigated already in the current architecture through rusty-paseto's implementation of fixed-size, strongly-typed keys, reducing any immediate risk.
Nevertheless, due to the type-specific nature of the crate, updating is not merely a simple version bump. I appreciate your vigilance and the effort you've made to inform me. I'll resolve this issue when the new version of the dalek crate is incorporated. I understand this might affect users who rely on cargo audit in their CI workflows, and I am open to discussions if there's a critical need for an earlier release.
Thanks again for taking the time to log this issue.
A Security Advisory has been published for transparency and a CVE requested from GitHub. Thanks again.
This is now resolved in today's v0.6.0 release. Thanks again!
I would like to thank you for the swift response. I really appreciate taking the time to fix it, as well as having weekly vulnerability monitoring via reports.
Describe the bug Found vulnerability when ruining cargo audit.
To Reproduce Steps to reproduce the behavior:
Expected behavior the vulnerability can be resolved by bumping up the ed25519-dalek crate version.
Screenshots![Screenshot from 2023-11-05 23-04-20](https://github.com/rrrodzilla/rusty_paseto/assets/133317769/e1235782-7cf7-4bef-8406-7fb8043cd266)
Desktop (please complete the following information):