crates.io security advisory

栏目: IT技术 · 发布时间: 4年前

内容简介:This is a cross-post ofThe Rust Security Response Working Group was recently notified of a security issue affecting token generation in theWe have no evidence of this being exploited in the wild, but out of an abundance of caution we opted to revoke all ex

This is a cross-post of the official security advisory . The official post contains a signed version with our PGP key, as well.

The Rust Security Response Working Group was recently notified of a security issue affecting token generation in the crates.io web application, and while investigated that issue we discovered an additional vulnerability affecting crates.io API tokens.

We have no evidence of this being exploited in the wild, but out of an abundance of caution we opted to revoke all existing API keys. You can generate a new one at crates.io/me .

Overview

Until recently, API keys for crates.io were generated using the PostgreSQL random function, which is not a cryptographically secure random number generator. This means that in theory, an attacker could observe enough random values to determine the internal state of the random number generator, and use this information to determine previously created API keys up to the last database server reboot.

As part of the investigation for this, we also found that API keys were being stored in plain text. This would mean if our database were somehow compromised the attacker would be have API access for all current tokens.

Mitigations

We deployed a code change to production to use a cryptographically secure random number generator, and we implemented hashing for storing tokens in the database.

Exploiting either issue would be incredibly impractical in practice, and we've found no evidence of this being exploited in the wild. However, out of an abundance of caution, we've opted to revoke all existing API keys. You can generate a new API key by visiting crates.io/me . We apologize for any inconvenience this causes.

Acknowledgements

Thanks to Jacob Hoffman-Andrews for responsibly disclosing the random number generator issue according toour security policy. Thanks to Siân Griffin and Justin Geibel from the crates.io team for helping the Security Response WG addressing both of the issues. Thanks to Pietro Albini from the Security Response WG for coordinating the work on this vulnerability.

Timeline of events

All times are listed in UTC.

  • 2020-07-11 17:43 - The issue is reported to security@rust-lang.org
  • 2020-07-11 20:56 - The issue is acknowledged, the leads of the crates.io team are looped in
  • 2020-07-11 23:48 - The issue is confirmed and a planned fix is agreed on
  • 2020-07-13 08:00 - The development of the fix is started
  • 2020-07-14 12:53 - The fix is tested on the staging environment
  • 2020-07-14 19:03 - The fix is deployed, existing tokens are revoked, and the issue is disclosed publicly

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

你必须知道的495个C语言问题

你必须知道的495个C语言问题

Steve Summit / 孙云、朱群英 / 人民邮电出版社 / 2009-2 / 45.00元

“本书是Summit以及C FAQ在线列表的许多参与者多年心血的结晶,是C语言界最为珍贵的财富之一。我向所有C语言程序员推荐本书。” ——Francis Glassborow,著名C/C++专家,ACCU(C/C++用户协会)前主席 “本书清晰阐明了Kernighan与Ritchie《The C programming Language》一书中许多简略的地方,而且精彩地总结了C语言编程......一起来看看 《你必须知道的495个C语言问题》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

随机密码生成器
随机密码生成器

多种字符组合密码

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试