[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Fri Apr 5 04:36:30 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
Replying to [comment:70 paragoninitiativeenterprises]:
> > After reviewing the error debugging included, it looks like we've got
a few clients failing to verify signatures, but the reason isn't jumping
out at me straight away.
>
> Could you forward some details about this to security at paragonie.com at
your earliest convenience? If there's a platform-specific bug affecting
Ed25519 signature verification, it probably needs to be fixed inside
sodium_compat.
We'll most definitely forward anything on, unfortunately at present
there's no context other than (paraphrased) `Signature X of Hash Y failed
to be verified against Key Z on an Unknown Environment on an Unknown Host`
(where X, Y, and Z are correct).
We don't have any details of if it's ext/sodium, sodium_compat, if the
signature or key length were rejected, etc. [attachment:"39309-extra-
debugging.diff"] aims to give some context there, but it's not going to
pinpoint the problematic environment, if that doesn't provide enough
details to reproduce, we'll look at other ways to identify a pattern.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:72>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list