maksimu
commented
5 months ago We are also interesting is the ETA for the fix
Closed yaronbenezra closed 5 months ago
maksimu
commented
5 months ago We are also interesting is the ETA for the fix
tomato42
commented
5 months ago as stated in the vulnerability release https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp and as stated in the security policy timing attacks are outside the scope of the project.
If you need an implementation that is safe against side-channel attacks, I recommend using https://github.com/pyca/cryptography
It's a won't fix.
dlpzx
commented
5 months ago Hi @tomato42, can you give more details on what you mean by "timing attacks are outside the scope of the project."? Does it mean that ecdsa is not affected or just that resolving that vulnerability is responsibility of the users of ecdsa? Thanks
tomato42
commented
5 months ago @dlpzx I mean that Python doesn't provide the primitives that are side-channel free, so it's impossible to build a side-channel free implementation on top of them. To actually fix it, it would require implementing the whole operation in C, which is a non-goal for the library (as it won't be a pure-python any more)
Hello,
SNYK and other scanning tools alerts on package vulnerability ( Timing Attack ) found at "sign_digest" API function. ( ecdsa.SigningKey.sign_digest() )
https://www.cve.org/CVERecord?id=CVE-2024-23342( HIGH Alert)
Can you address when you are going to fix this?
Regards, Yaron