I note that there are security fixes in these release's -- did I miss Chris' email about these patches or are we moving away from the model where we send out an email to the list a couple of days before release?
~Matt Walker Wikimedia Foundation Fundraising Technology Team
On Thu, Feb 27, 2014 at 6:55 PM, Brian Wolff bawolff@gmail.com wrote:
- (bug 61346) SECURITY: Make token comparison use constant time. It seems
like our token comparison would be vulnerable to timing attacks. This will take constant time.
Not to be a grammar nazi, but that should presumably be something along the lines of "Using constant time comparison will prevent this" instead of "This will take constant time", as that could be interpreted as the attack would take constant time.
--bawolff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l