CVE-2024-34063: vodozemac has degraded secret zeroization capabilities
(updated )
Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag while vodozemac disabled the default feature set.
References
- github.com/advisories/GHSA-c3hm-hxwf-g5c6
- github.com/matrix-org/vodozemac
- github.com/matrix-org/vodozemac/commit/297548cad4016ce448c4b5007c54db7ee39489d9
- github.com/matrix-org/vodozemac/security/advisories/GHSA-c3hm-hxwf-g5c6
- nvd.nist.gov/vuln/detail/CVE-2024-34063
- rustsec.org/advisories/RUSTSEC-2024-0342.html
Detect and mitigate CVE-2024-34063 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →