Security
Headlines

Headlines Latest CVEs

Headline

GHSA-c3hm-hxwf-g5c6: vodozemac has degraded secret zeroization capabilities

Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag while vodozemac disabled the default feature set.

Impact

The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure.

Overall, we consider the impact of this issue to be low. Although cryptographic best practices recommend the clearing of sensitive information from memory once it’s no longer needed, the inherent limitations of Rust regarding absolute zeroization reduce the practical severity of this lapse.

Patches

The patch is in commit https://github.com/matrix-org/vodozemac/pull/130/commits/297548cad4016ce448c4b5007c54db7ee39489d9.

Workarounds

None.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

8 months ago

Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag while vodozemac disabled the default feature set.

Impact

The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure.

Overall, we consider the impact of this issue to be low. Although cryptographic best practices recommend the clearing of sensitive information from memory once it’s no longer needed, the inherent limitations of Rust regarding absolute zeroization reduce the practical severity of this lapse.

Patches

The patch is in commit matrix-org/vodozemac@297548c.

Workarounds

None.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

References

GHSA-c3hm-hxwf-g5c6
https://nvd.nist.gov/vuln/detail/CVE-2024-34063
matrix-org/vodozemac@297548c

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

1 day ago

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

1 day ago

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

1 day ago

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

1 day ago

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

1 day ago