From e68b9d00a6e05b3a941f63ffb696f91e554ac5ec Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel@debian.org>
Date: Fri, 18 Oct 2024 20:33:49 +0200
Subject: Adding upstream version 9.0.3.

Signed-off-by: Daniel Baumann <daniel@debian.org>
---
 release-notes/5719.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 release-notes/5719.md

(limited to 'release-notes/5719.md')

diff --git a/release-notes/5719.md b/release-notes/5719.md
new file mode 100644
index 0000000..19a7482
--- /dev/null
+++ b/release-notes/5719.md
@@ -0,0 +1 @@
+Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
-- 
cgit v1.2.3