Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated dalek dependecy #11

Closed
wants to merge 2 commits into from
Closed

Updated dalek dependecy #11

wants to merge 2 commits into from

Conversation

markopoloparadox
Copy link

No description provided.

moraesjeremias
moraesjeremias requested changes Jul 2, 2024
View reviewed changes
Copy link
Member

@moraesjeremias moraesjeremias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will release and test a temp tag on bridge-api and get back with results.

substrate/primitives/statement-store/Cargo.toml
@@ -31,7 +31,7 @@ thiserror = { version = "1.0", optional = true }
# ECIES dependencies
ed25519-dalek = { version = "2.1", optional = true }
x25519-dalek = { version = "2.0", optional = true, features = ["static_secrets"] }
curve25519-dalek = { version = "4.1.1", optional = true }
curve25519-dalek = { version = "4.1.3", optional = true }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gonna make a temp release based on your branch and see if these are still propagated through the consumed packages in bridge-api.

If not we can live with it till we prioritize the other vulnerabilities fix present in Cargo.lock versioned crates.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cargo.toml on both bridge-api and avail-core were modified to consume polkadot-1.7.1-patch-8-tmp.

On bridge-api:

╰─$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 630 security advisories (from /home/moraesjeremias/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (578 crate dependencies)
Crate:     curve25519-dalek
Version:   3.2.0
Title:     Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
Date:      2024-06-18
ID:        RUSTSEC-2024-0344
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0344
Solution:  Upgrade to >=4.1.3

On avail-core:

╰─$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 630 security advisories (from /home/moraesjeremias/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (459 crate dependencies)
Crate:     curve25519-dalek
Version:   3.2.0
Title:     Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
Date:      2024-06-18
ID:        RUSTSEC-2024-0344
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0344
Solution:  Upgrade to >=4.1.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moraesjeremias moraesjeremias moraesjeremias requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markopoloparadox @moraesjeremias