GHSA-f6jh-hvg2-9525: crystals-go vulnerable to KyberSlash (timing side-channel attack for Kyber)
(updated )
On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.
References
- github.com/advisories/GHSA-f6jh-hvg2-9525
- github.com/kudelskisecurity/crystals-go
- github.com/kudelskisecurity/crystals-go/commit/2a6ca2d4e64d18dd6e8fbb4e48e22c2510118505
- github.com/kudelskisecurity/crystals-go/issues/19
- github.com/kudelskisecurity/crystals-go/pull/20
- github.com/kudelskisecurity/crystals-go/pull/21
- github.com/kudelskisecurity/crystals-go/security/advisories/GHSA-f6jh-hvg2-9525
- kyberslash.cr.yp.to/faq
Detect and mitigate GHSA-f6jh-hvg2-9525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →