cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Yves Ritschard <...@spootnik.org>
Subject Re: [GitHub] cloudstack pull request: Use constant-time comparison functions wh...
Date Wed, 14 Jan 2015 10:36:48 GMT
I'll note here that this can be applied to 4.4 and 4.3 as well, modulo some
simple changes.

On Wed, Jan 14, 2015 at 11:32 AM, pyr <git@git.apache.org> wrote:

> GitHub user pyr opened a pull request:
>
>     https://github.com/apache/cloudstack/pull/65
>
>     Use constant-time comparison functions when checking signatures
>
>     This limits the likeliness of timing attacks against the API.
>     See http://codahale.com/a-lesson-in-timing-attacks/ for the
>     full rationale.
>
> You can merge this pull request into a Git repository by running:
>
>     $ git pull https://github.com/exoscale/cloudstack
> feature/constant-time
>
> Alternatively you can review and apply these changes as the patch at:
>
>     https://github.com/apache/cloudstack/pull/65.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
>     This closes #65
>
> ----
> commit 9b4e39e837af498599859c4a6687eb8bf9f8ad89
> Author: Pierre-Yves Ritschard <pyr@spootnik.org>
> Date:   2015-01-14T10:27:35Z
>
>     Use constant-time comparison functions when checking signatures
>
>     This limits the likeliness of timing attacks against the API.
>     See http://codahale.com/a-lesson-in-timing-attacks/ for the
>     full rationale.
>
>     Conflicts:
>         server/src/com/cloud/api/ApiServer.java
>         server/src/com/cloud/user/AccountManagerImpl.java
>
> ----
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
> with INFRA.
> ---
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message