CVE-2024-23342 Timing Attack #330
Comments
|
We are also interesting is the ETA for the fix |
|
as stated in the vulnerability release GHSA-wj6h-64fc-37mp and as stated in the security policy timing attacks are outside the scope of the project. If you need an implementation that is safe against side-channel attacks, I recommend using https://github.com/pyca/cryptography It's a won't fix. |
|
Hi @tomato42, can you give more details on what you mean by "timing attacks are outside the scope of the project."? Does it mean that |
|
@dlpzx I mean that Python doesn't provide the primitives that are side-channel free, so it's impossible to build a side-channel free implementation on top of them. To actually fix it, it would require implementing the whole operation in C, which is a non-goal for the library (as it won't be a pure-python any more) |
Hello,
SNYK and other scanning tools alerts on package vulnerability ( Timing Attack ) found at "sign_digest" API function.
( ecdsa.SigningKey.sign_digest() )
https://www.cve.org/CVERecord?id=CVE-2024-23342( HIGH Alert)
Can you address when you are going to fix this?
Regards,
Yaron
The text was updated successfully, but these errors were encountered: