This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-04-21
Channels
- # announcements (14)
- # aws (8)
- # babashka (3)
- # babashka-sci-dev (41)
- # beginners (78)
- # calva (15)
- # cider (9)
- # clj-commons (10)
- # clj-kondo (5)
- # cljs-dev (8)
- # clojure (47)
- # clojure-bay-area (3)
- # clojure-europe (13)
- # clojure-nl (2)
- # clojure-norway (15)
- # clojure-uk (13)
- # clojured (2)
- # clojurescript (20)
- # conjure (29)
- # cursive (4)
- # emacs (19)
- # events (3)
- # funcool (13)
- # hyperfiddle (16)
- # jobs (2)
- # lsp (4)
- # malli (13)
- # meander (1)
- # missionary (2)
- # nrepl (7)
- # off-topic (68)
- # other-languages (82)
- # polylith (1)
- # reagent (28)
- # reitit (12)
- # releases (3)
- # remote-jobs (5)
- # ring (27)
- # sci (6)
- # shadow-cljs (9)
- # spacemacs (2)
- # sql (10)
- # tools-deps (10)
- # vim (10)
New Java releases are out which fix a critical security vulnerability. https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
I'm not really sure yet to what extent widely used Clojure libaries are impacted by this, but I do see that buddy uses some of the affected classes. If you're using buddy, especially with JWT, I would not wait to upgrade. In general if you're running an app exposed to the internet I would not wait to upgrade.
Note that this impacts Java 15 and later, if you're still on 8 or 11 (as many are) then you are not currently vulnerable.
Not all of the JDK providers have updated binaries yet...
temurin is in progress https://github.com/adoptium/adoptium/issues/139
you can track it per platform here https://github.com/adoptium/adoptium/issues/140
I played with it a bit here: https://github.com/jumarko/clojure-experiments/blob/master/src/clojure_experiments/security/signing.clj#L1 I wasn't able to reproduce the problem when using buddy-sign but that's probably just because of the lack of skill. As others said, I wouldn't wait with the upgrade.
The Temurin Build and Release Process is really taking its time 😕
@U06BE1L6T buddy uses bouncy castle which isn't vulnerable to this
:ecdsa+sha256 #(Signature/getInstance "SHA256withECDSA" "BC")
:ecdsa+sha256 #(Signature/getInstance "SHA256withECDSA" "BC")
:ecdsa+sha384 #(Signature/getInstance "SHA384withECDSA" "BC")
:ecdsa+sha512 #(Signature/getInstance "SHA512withECDSA" "BC")
:ecdsa+sha384 #(Signature/getInstance "SHA384withECDSA" "BC")
:ecdsa+sha512 #(Signature/getInstance "SHA512withECDSA" "BC")