Closed yaronbenezra closed 5 months ago
We are also interesting is the ETA for the fix
as stated in the vulnerability release https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp and as stated in the security policy timing attacks are outside the scope of the project.
If you need an implementation that is safe against side-channel attacks, I recommend using https://github.com/pyca/cryptography
It's a won't fix.
Hi @tomato42, can you give more details on what you mean by "timing attacks are outside the scope of the project."? Does it mean that ecdsa
is not affected or just that resolving that vulnerability is responsibility of the users of ecdsa? Thanks
@dlpzx I mean that Python doesn't provide the primitives that are side-channel free, so it's impossible to build a side-channel free implementation on top of them. To actually fix it, it would require implementing the whole operation in C, which is a non-goal for the library (as it won't be a pure-python any more)
Hello,
SNYK and other scanning tools alerts on package vulnerability ( Timing Attack ) found at "sign_digest" API function. ( ecdsa.SigningKey.sign_digest() )
https://www.cve.org/CVERecord?id=CVE-2024-23342( HIGH Alert)
Can you address when you are going to fix this?
Regards, Yaron