I'll note here that this can be applied to 4.4 and 4.3 as well, modulo some simple changes.
On Wed, Jan 14, 2015 at 11:32 AM, pyr <g...@git.apache.org> wrote: > GitHub user pyr opened a pull request: > > https://github.com/apache/cloudstack/pull/65 > > Use constant-time comparison functions when checking signatures > > This limits the likeliness of timing attacks against the API. > See http://codahale.com/a-lesson-in-timing-attacks/ for the > full rationale. > > You can merge this pull request into a Git repository by running: > > $ git pull https://github.com/exoscale/cloudstack > feature/constant-time > > Alternatively you can review and apply these changes as the patch at: > > https://github.com/apache/cloudstack/pull/65.patch > > To close this pull request, make a commit to your master/trunk branch > with (at least) the following in the commit message: > > This closes #65 > > ---- > commit 9b4e39e837af498599859c4a6687eb8bf9f8ad89 > Author: Pierre-Yves Ritschard <p...@spootnik.org> > Date: 2015-01-14T10:27:35Z > > Use constant-time comparison functions when checking signatures > > This limits the likeliness of timing attacks against the API. > See http://codahale.com/a-lesson-in-timing-attacks/ for the > full rationale. > > Conflicts: > server/src/com/cloud/api/ApiServer.java > server/src/com/cloud/user/AccountManagerImpl.java > > ---- > > > --- > If your project is set up for it, you can reply to this email and have your > reply appear on GitHub as well. If your project does not have this feature > enabled and wishes so, or if the feature is enabled but not working, please > contact infrastructure at infrastruct...@apache.org or file a JIRA ticket > with INFRA. > --- >
