diff options
Diffstat (limited to 'release-notes/5719.md')
-rw-r--r-- | release-notes/5719.md | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/release-notes/5719.md b/release-notes/5719.md new file mode 100644 index 0000000..19a7482 --- /dev/null +++ b/release-notes/5719.md @@ -0,0 +1 @@ +Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays. |