[GHSA-wj6h-64fc-37mp] Minerva timing attack on P-256 in python-ecdsa

[levpachmanov]

Updates

• Affected products

Comments
This vulnerability wasn't fixed -
it wasn't really fixed in any version you can see here - GHSA-wj6h-64fc-37mp
As stated in the security policy side-channel vulnerabilities are outside the scope of the project. Not because we don't want side-channel secure implementation, but because the main goal of the project is to be pure python and implementing side-channel free code in pure python is impossible.
it is not mentioned in their release note
and snyk agrees - https://security.snyk.io/vuln/SNYK-PYTHON-ECDSA-6184115

[github]

Hi there @tomato42! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[tomato42]

Correct, the issue has not been addressed, there is no fixed version and there won't be a fixed version.

👍

[advisory-database]

Hi @levpachmanov! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!