20treeai / martin Goto Github PK
View Code? Open in Web Editor NEWThis project forked from maplibre/martin
Blazing fast and lightweight PostGIS vector tiles server
Home Page: https://martin.urbica.co
License: Apache License 2.0
This project forked from maplibre/martin
Blazing fast and lightweight PostGIS vector tiles server
Home Page: https://martin.urbica.co
License: Apache License 2.0
Marvin Attack: potential key recovery through timing sidechannels
Details | |
---|---|
Package | rsa |
Version | 0.9.5 |
URL | RustCrypto/RSA#19 (comment) |
Date | 2023-11-22 |
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
The only currently available workaround is to avoid using the rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
See advisory page for additional details.
Hi, i noticed you have some CORs related changes, could you start a PR and/or an issue about this? I suspect it might impact more users, would be good to solve it upstream
HI, i noticed you have some CORS configuration changes in maplibre/martin@main...20treeAI:martin:main
Should these be pushed upstream? I'm not certain why you had to add those
libsqlite3-sys
via C SQLite CVE-2022-35737
Details | |
---|---|
Package | libsqlite3-sys |
Version | 0.24.2 |
URL | https://nvd.nist.gov/vuln/detail/CVE-2022-35737 |
Date | 2022-08-03 |
Patched versions | >=0.25.1 |
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf
function.
As libsqlite3-sys
bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys
was updated to bundle the patched version of SQLite here.
See advisory page for additional details.
In latest action looks like were pushing to ghcr.io/maplibre/martin:main
Cannot see we ever pushed to our own there but might be as easy as changing https://github.com/20treeAI/martin/actions/runs/5000718020/workflow#L39
to eu.gcr.io/tree-266510/martin
?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.