This gem is using an unauthenticated encryption mode (CBC) which is vulnerable to chos

No, failure to use a random IV (<a class="issue-link js-issue-link" data-error-text="F

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Unauthenticated encryption is vulnerable to chosen ciphertext attacks, bitflipping attacks about aescrypt HOT 6 OPEN

gurpartap commented on July 3, 2024

Unauthenticated encryption is vulnerable to chosen ciphertext attacks, bitflipping attacks

from aescrypt.

fsck-mount commented on July 3, 2024

Is that something, that we can avoid using Random IV?

from aescrypt.

tarcieri commented on July 3, 2024

No, failure to use a random IV (#4) is a separate, unrelated, but still very bad problem.

from aescrypt.

fsck-mount commented on July 3, 2024

@tarcieri Thanks for the info.

from aescrypt.

jfinkhaeuser commented on July 3, 2024

FYI, in case you're trying to follow the same path as me:

Create a CVE request at http://cve.mitre.org/ - You'll get a CVE ID a day or so later.
Create a report at https://rubysec.com/, quoting the CVE ID (they really need it even if it's not a required field)
If people use https://github.com/rubysec/bundler-audit (they should), the reports will crop up.

from aescrypt.

jfinkhaeuser commented on July 3, 2024

I'm just sad it took me four years to figure out that this path works just fine... ugh. It should not have surprised me.

from aescrypt.