----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67357/ -----------------------------------------------------------
(Updated June 6, 2018, 10:31 a.m.) Review request for mesos and Alexander Rukletsov. Repository: mesos Description ------- A vulnerability in our JWT implementation allows an unauthenticated remote attacker to execute to execute timing attacks [1]. This patch removes the vulnerability by adding a constant time comparison of hashes, where the whole message is visited during the comparison instead of returning at the first failure. [1] https://codahale.com/a-lesson-in-timing-attacks/ Diffs (updated) ----- 3rdparty/libprocess/src/jwt.cpp 4477ddd17dede2b924a47e33942b39244f10316f Diff: https://reviews.apache.org/r/67357/diff/3/ Changes: https://reviews.apache.org/r/67357/diff/2-3/ Testing ------- ```sh make check ``` Thanks, Alexander Rojas