Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update rust crate ed25519-dalek to v2.1.1 #855

Merged
merged 1 commit into from
Aug 8, 2024
Merged

chore(deps): update rust crate ed25519-dalek to v2.1.1 #855

merged 1 commit into from
Aug 8, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change
ed25519-dalek (source) dependencies patch 2.1.0 -> 2.1.1

GitHub Vulnerability Alerts

GHSA-w5vr-6qhr-36cc

Versions of ed25519-dalek prior to v2.0 model private and public keys as separate types which can be assembled into a Keypair, and also provide APIs for serializing and deserializing 64-byte private/public keypairs.

Such APIs and serializations are inherently unsafe as the public key is one of the inputs used in the deterministic computation of the S part of the signature, but not in the R value. An adversary could somehow use the signing function as an oracle that allows arbitrary public keys as input can obtain two signatures for the same message sharing the same R and only differ on the S part.

Unfortunately, when this happens, one can easily extract the private key.

Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled private/public keypair as signing input, except as part of specially labeled "hazmat" APIs which are clearly labeled as being dangerous if misused.

Release Notes

dalek-cryptography/curve25519-dalek (ed25519-dalek)

v2.1.1

Compare Source

  • Fix nightly SIMD build

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@monoid
Copy link
Contributor

monoid commented Aug 6, 2024

This is NOT a security update (it would be so from 1.x).

monoid
monoid approved these changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@monoid monoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@fluencebot fluencebot added the e2e Run e2e workflow label Aug 6, 2024
@monoid monoid changed the title chore(deps): update rust crate ed25519-dalek to v2.1.1 [security] chore(deps): update rust crate ed25519-dalek to v2.1.1 Aug 7, 2024
@monoid monoid merged commit db96111 into master Aug 8, 2024
37 of 44 checks passed
@monoid monoid deleted the renovate/crate-ed25519-dalek-vulnerability branch August 8, 2024 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@monoid monoid monoid approved these changes

Assignees
No one assigned
Labels
e2e Run e2e workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@monoid @fluencebot