[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Fri Apr 5 04:36:30 UTC 2019

#39309: Secure WordPress Against Infrastructure Attacks
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  task (blessed)                |      Status:  assigned
 Priority:  normal                        |   Milestone:  5.2
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:

Comment (by dd32):

 Replying to [comment:70 paragoninitiativeenterprises]:
 > > After reviewing the error debugging included, it looks like we've got
 a few clients failing to verify signatures, but the reason isn't jumping
 out at me straight away.
 > Could you forward some details about this to security at paragonie.com at
 your earliest convenience? If there's a platform-specific bug affecting
 Ed25519 signature verification, it probably needs to be fixed inside

 We'll most definitely forward anything on, unfortunately at present
 there's no context other than (paraphrased) `Signature X of Hash Y failed
 to be verified against Key Z on an Unknown Environment on an Unknown Host`
 (where X, Y, and Z are correct).

 We don't have any details of if it's ext/sodium, sodium_compat, if the
 signature or key length were rejected, etc. [attachment:"39309-extra-
 debugging.diff"] aims to give some context there, but it's not going to
 pinpoint the problematic environment, if that doesn't provide enough
 details to reproduce, we'll look at other ways to identify a pattern.

Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:72>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list