diff options
| author | Earl Warren <earl-warren@noreply.codeberg.org> | 2024-10-28 07:14:36 +0100 |
|---|---|---|
| committer | Earl Warren <earl-warren@noreply.codeberg.org> | 2024-10-28 07:14:36 +0100 |
| commit | e08664c56e20dd984c643012399a68d162cb7275 (patch) | |
| tree | 5ee2fd1fec222926286d8ca9cd065b7a1bd02d2d /release-notes | |
| parent | Merge pull request 'add permission check to 'delete branch after merge'' (#57... (diff) | |
| parent | fix(sec): use constant time check for internal token (diff) | |
| download | forgejo-e08664c56e20dd984c643012399a68d162cb7275.tar.xz forgejo-e08664c56e20dd984c643012399a68d162cb7275.zip | |
Merge pull request 'use constant time check for internal token' (#5719) from earl-warren/forgejo:wip-timing into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5719
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Diffstat (limited to 'release-notes')
| -rw-r--r-- | release-notes/5719.md | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/release-notes/5719.md b/release-notes/5719.md new file mode 100644 index 0000000000..19a74825e4 --- /dev/null +++ b/release-notes/5719.md @@ -0,0 +1 @@ +Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays. |