Closed romanb closed 4 years ago
arianvp
commented
4 years ago Thanks for the heads up. We should also update https://github.com/wireapp/hkdf
As far as I know, we don't use generichash (Which is Blake2b) anywhere but instead use sha256. E.g. https://github.com/wireapp/hkdf/blob/develop/src/lib.rs#L32 so I don't think we're directly vulnerable. It's still good to bump the versions though.
raphaelrobert
commented
4 years ago Nice catch @romanb!
I think @arianvp is right, generichash wraps BLAKE2b (https://libsodium.gitbook.io/doc/hashing/generic_hashing#algorithm-details) while Proteus only depends on HKDF (which in turn explicitely uses SHA256):
raphaelrobert
commented
4 years ago The minimal sodiumoxide version is now 0.2.5. through #25.
See the Rust security advisory: https://rustsec.org/advisories/RUSTSEC-2019-0026.html. This should be followed up with new releases of the cryptobox libraries and everything on top.