Security vulnerability in PasswordField of lift-mongoauth
17 views
Skip to first unread message
Tim Nelson
Feb 26, 2018, 12:28:03 PM2/26/18
to Lift
Dear community,
I recently found out there is a security vulnerability in the version of jBcrypt that the PasswordField in lift-mongoauth uses.
I published v1.3.1 today that upgrades jBcrypt to v0.4. Please upgrade if you are using the PasswordField in lift-mongoauth.
Thanks,
Tim
Riccardo Sirigu
Feb 27, 2018, 6:48:33 AM2/27/18
to Lift
Thank you Tim
Diego Medina
Feb 27, 2018, 7:14:10 AM2/27/18
to Lift
Thanks for taking care of it!
--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Antonio Salazar Cardozo
Feb 27, 2018, 12:43:04 PM2/27/18
to Lift
Tim, is this something we need to pull into Lift proper? We seem to have a copy of
the jBCrypt code in Lift (guessing this predates it being available as a maven artifact).
Thanks,
Antonio
Tim Nelson
Feb 28, 2018, 4:37:48 AM2/28/18
to Lift
It looks like it does need to be fixed in Lift itself. I didn't realize we had copied that code. I was testing out Snyk when I found it, but Lift was clean, so I didn't check into it further.
This is the commit that fixed the vuln: https://github.com/jeremyh/jBCrypt/commit/e015c2c110ab7cf544400893f3543b45f359ff58
Tim
Reply all
Reply to author
Forward
0 new messages