diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2024-10-01 16:20:29 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2024-10-15 11:56:57 +0200 |
| commit | bbed3cdf8053a92629d443e967531ce5ff4f8ee8 (patch) | |
| tree | 2f3549dc9bb6f9eda2fa185039f58dfd630c6f47 | |
| parent | d5c7876c68327fa1603178244a0ac03871ef02ce (diff) | |
| download | mullvadvpn-bbed3cdf8053a92629d443e967531ce5ff4f8ee8.tar.xz mullvadvpn-bbed3cdf8053a92629d443e967531ce5ff4f8ee8.zip | |
Stop ignoring RUSTSEC-2023-0079 (Kyber timing attack)
The dependency with this CVE is no longer in our dependency tree
| -rw-r--r-- | .github/workflows/cargo-audit.yml | 4 | ||||
| -rw-r--r-- | deny.toml | 2 | ||||
| -rw-r--r-- | osv-scanner.toml | 10 |
3 files changed, 0 insertions, 16 deletions
diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index e3f44a3b96..a9f8c039c7 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -28,8 +28,6 @@ jobs: denyWarnings: true # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. - # RUSTSEC-2023-0079 - KyberSlash in `pqc_kyber`. - ignore: RUSTSEC-2023-0079 - uses: actions-rust-lang/audit@v1.1.11 name: Audit testrunner Rust Dependencies @@ -38,5 +36,3 @@ jobs: denyWarnings: true # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. - # RUSTSEC-2023-0079 - KyberSlash in `pqc_kyber`. - ignore: RUSTSEC-2023-0079 @@ -26,8 +26,6 @@ yanked = "deny" ignore = [ # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. - # RUSTSEC-2023-0079 - KyberSlash in `pqc_kyber`. - "RUSTSEC-2023-0079", ] diff --git a/osv-scanner.toml b/osv-scanner.toml index 0349695942..1837415f42 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -40,13 +40,3 @@ # `renderer-helper` currently depend on this version of libbaz, preventing us from upgrading to a fixed version. # """ # ``` - -# KyberSlash timing attack against Kyber PQ KEM -[[IgnoredVulns]] -id = "RUSTSEC-2023-0079" -ignoreUntil = 2024-12-05 # Ignored for six months at a time. This class of timing based attacks are not exploitable in our protocol design -reason = """ -KyberSlash is not exploitable in our usage of it: -https://mullvad.net/en/blog/mullvads-usage-of-kyber-is-not-affected-by-kyberslash -And no patched version is available. -""" |