Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to newer version of cryptiles #99

Closed
wants to merge 3 commits into from
Closed

Switch to newer version of cryptiles #99

wants to merge 3 commits into from

Conversation

CalRobert
Copy link
Contributor

Github warned about a vulnerability in the used version of cryptiles

donflopez
donflopez approved these changes Sep 21, 2018
View reviewed changes
Copy link

@donflopez donflopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 🌔

@gkwang
Copy link
Contributor

gkwang commented Sep 21, 2018

Are we updating the dependencies 1 at a time? There's a couple more that needs to be updated as well.

@CalRobert
Copy link
Contributor Author

Of the ones that github notified us about, only cryptiles was in package.json. I thought the other dependencies were nested (i.e. dependencies of dependencies) Happy to update others as well.

@gkwang
Copy link
Contributor

gkwang commented Oct 2, 2018
edited
Loading

Heads up, cryptiles 4.1.2 only supports node 8. hapijs/cryptiles@c44c0e9, the change modifies the function fixedTimeComparison which this library depends on, so this change may warrant a major version bump.

@CalRobert
Copy link
Contributor Author

@gkwang good point - changed it to 3.1.2 (still an awful lot newer) and this preserves support for Node 6

@david-nossebro
Copy link

If the version of Cryptiles is only changed to 3.1.2, I think we still have the security issue mentioned here:
hapijs/cryptiles#34

This issue is solved in 4.1.2 according to this:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

This is flagged as a critical issue by the tool "Black Duck Scan" that is used in my project.

@CalRobert
Copy link
Contributor Author

As I understand it the only clear options are:

  • Drop Node 6 support
  • Keep this vulnerability (this seems like a bad option to me)
  • (time consuming, could be a while) Remove use of cryptiles
  • (probably a non-starter) update Cryptiles to support Node 6 again

It may make sense to just drop Node6 and make this a major version release, but I'm curious what others think.

If the version of Cryptiles is only changed to 3.1.2, I think we still have the security issue mentioned here:
hapijs/cryptiles#34

This issue is solved in 4.1.2 according to this:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

This is flagged as a critical issue by the tool "Black Duck Scan" that is used in my project.

@david-nossebro
Copy link

It may make sense to just drop Node6 and make this a major version release, but I'm curious what others think.

I agree with you.

@gkwang
Copy link
Contributor

gkwang commented Oct 8, 2018

From what I'm seeing, we're not using cryptiles' PNRG, so this vulnerability doesn't directly affect us.
The only function we use is "fixedTimeComparison" which is unfortunately the exact function that breaks backwards compat. My vote is we can still bump the major version, and let the users decide whether to update it or not.

@machuga
Copy link
Contributor

machuga commented Oct 9, 2018

@CalRobert Dropping Node 6 isn't a viable option for us at the moment so we'll have to investigate some other approaches.

@david-nossebro
Copy link

I have created a pull-request #102 where I removed the 'Cryptiles' dependency.

@CalRobert CalRobert closed this May 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donflopez donflopez donflopez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@CalRobert @gkwang @david-nossebro @machuga @donflopez