Improve security around archiver key (!354) · Merge requests · GNU Mailman / HyperKitty · GitLab

legoktm requested to merge legoktm/hyperkitty:archiver-key into master Jun 22, 2021

Use a constant time check when evaluating the value of the archiver key to be resistant to timing attacks. (CVE-2021-35057)
Read the archiver key from a HTTP header so it doesn't appear in server logs. This will require updating the mailman-hyperkitty package as well. (CVE-2021-35058)

Fixes #387 (closed).