Skip to content

Improve security around archiver key

legoktm requested to merge legoktm/hyperkitty:archiver-key into master
  • Use a constant time check when evaluating the value of the archiver key to be resistant to timing attacks. (CVE-2021-35057)
  • Read the archiver key from a HTTP header so it doesn't appear in server logs. This will require updating the mailman-hyperkitty package as well. (CVE-2021-35058)

Fixes #387 (closed).

Merge request reports