Source: ruby-devise-two-factor X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for ruby-devise-two-factor. CVE-2024-8796[0]: | Under the default configuration, Devise-Two-Factor versions >= 2.2.0 | & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of | the 128-bit minimum defined by RFC 4226. Using a shared secret | shorter than the minimum to generate a multi-factor authentication | code could make it easier for an attacker to guess the shared secret | and generate valid TOTP codes. https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8796 https://www.cve.org/CVERecord?id=CVE-2024-8796 Please adjust the affected versions in the BTS as needed. _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
