◈ 9ce92808be498e9e05590ff27cbfdfe4
RNS 1.3.8 released https://pypi.org/project/rns/
Forum / General / Reporting a vuln?

Reporting a vuln?

Discussion

Started by KenAKAFrosty ·

I've bumped into a vulnerability in the reference impl (confirmed 1.3.7, human-reviewed lol, not just hallucinated nonsense) that can DoS announce propagation.

Blast radius is limited and there's no RCE or anything like that, but it's trivial to perform. And this doesn't seem like a tradeoff for some other benefit; it looks like it's just a small oversight, with a pretty straightforward path to fixing it.

Where's the best place to privately report the details now?

Anonymous

If you mean the fact you can just spam announces, there's a ratelimit system but it isn't on by default.

If you don't, contacting Mark over LXMF is probably best, and checking if he's online in the rrc hub general room and pinging him there might also work.

Anonymous wrote:

If you mean the fact you can just spam announces, there's a ratelimit system but it isn't on by default.

If you don't, contacting Mark over LXMF is probably best, and checking if he's online in the rrc hub general room and pinging him there might also work.

Thanks, and yeah I definitely don't mean just spamming announces, this would have to be specifically malicious in a certain way

Mark bc7291552be7a58f...

You can send me the details over LXMF or email, and I'll have a look at it immediately.

Mark wrote:

You can send me the details over LXMF or email, and I'll have a look at it immediately.

Thanks, Mark!! Just emailed you (a light bump in urgency since first discovery)

Post a Reply

Markdown

Supports Markdown: **bold**, *italic*, `code`, ```code blocks```, [links](url)

Log in to upload images

Proof of work verification for anonymous posting

Copied to clipboard