Comment 9 for bug 1325128
Revision history for this message
| Andrew Laski (alaski) wrote Re: nova metadata does not use a constant time compare for validating an HMAC token | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
I would be ok with opening this up to be a public bug. The exploit is theoretical at this point, and even the included links contain theoretical attacks with no proof of concept code. And in general this token compare should not be receiving user input, though that is dependent on the deployment setup.