advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Add advisory for timing variability in curve25519-dalek-ng

Open fspreiss opened this issue 6 months ago • 5 comments

The timing variability in curve25519-dalek that was reported via RUSTSEC-2024-0344 is also applicable to its fork curve25519-dalek-ng.

This is relevant because crates such as ed255519-consensus, which are actively used by the community for secret key operations, depend on the vulnerable curve25519-dalek-ng.

fspreiss avatar Jun 27 '25 22:06 fspreiss

As a matter of policy, we don't publish advisories without confirmation/agreement from the maintainer, unless the maintainer becomes unresponsive (for 270 days in case of no open issues or 60 days in case of a potential vulnerability).

@hdevalence are you aware of this issue? Do you agree it warrants an advisory?

djc avatar Jun 28 '25 13:06 djc

I don't think this issue warrants an advisory, but I don't think it's particularly important either way. It should be fixed shortly, just fell through the cracks and there was no follow up.

hdevalence avatar Jun 28 '25 15:06 hdevalence

I don't think this issue warrants an advisory,

Why not? If the pre-fork code had one, it seems surprising that this crate wouldn't get one.

djc avatar Jun 28 '25 15:06 djc

Are there maybe any updates regarding this?

fspreiss avatar Oct 30 '25 09:10 fspreiss

Are there maybe any updates regarding this?

It's up to @hdevalence.

djc avatar Oct 30 '25 12:10 djc