You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The maintainer(s) of the affected project have already been made aware of this vulnerability.
Description
The KyberSlash 1 & 2 vulnerabilities could be found in this repo, see https://kyberslash.cr.yp.to/ and led to the repo being officially archived since it is not maintained anymore.
KyberSlash1 was fixed, but KyberSlash2 wasn't before archival.
Users should use instead https://pkg.go.dev/filippo.io/mlkem768 for key encapsulation / encryption / decryption using Kyber.
Thanks for the report! This will be designated GO-2024-2469.
Clarifying question before I create the report- is kudelskisecurity/crystals-go#21 related to this change? If so, does this mean that the Encaps, Encrypt, and Decaps symbols are now fixed at the latest version? (or will they be permanently vulnerable)
Yes, the code now also contains fixes for KyberSlash2 (they have been added yesterday). Please notice that we (Kudelski Security) do not have plans to continue maintaining this library, that's why we deprecated and archived it. Feel free to fork it!
Acknowledgement
Description
The KyberSlash 1 & 2 vulnerabilities could be found in this repo, see https://kyberslash.cr.yp.to/ and led to the repo being officially archived since it is not maintained anymore.
KyberSlash1 was fixed, but KyberSlash2 wasn't before archival.
Users should use instead https://pkg.go.dev/filippo.io/mlkem768 for key encapsulation / encryption / decryption using Kyber.
Affected Modules, Packages, Versions and Symbols
CVE/GHSA ID
No response
Fix Commit or Pull Request
kudelskisecurity/crystals-go#20
References
Additional information
No response
The text was updated successfully, but these errors were encountered: