security issue, need to talk asap

[princezuda]

I don't want to go into details, but I tweeted you on Twitter. There is a severe security issue that needs to be addressed. I would love to help you with it, but this isn't something I can pull and fix. It's more complicated.

[princezuda]

After this was peer reviewed by other researchers it has been deemd not a problem.

[paf0186]

Since this was not an issue, would you mind describing the possible concern?

[GUI]

It was related to the .helm/secret-values.yaml file where I store encrypted versions of credentials used during deploys. It's not necessarily obvious from the format, but these values are encrypted (using Werf secrets), so after discussing the encryption format Werf uses (it could perhaps be stronger, but it defaults to AES-CBC-128), this shouldn't be a problem as long as the encryption key stays secret. But I appreciate anyone raising potential security concerns!

[paf0186]

Ah, makes sense - Thank you!

…

On Wed, Apr 7, 2021 at 2:17 PM Nick Muerdter ***@***.***> wrote: It was related to the .helm/secret-values.yaml file <https://github.com/GUI/covid-vaccine-spotter/blob/main/.helm/secret-values.yaml> where I store encrypted versions of credentials used during deploys. It's not necessarily obvious from the format, but these values are encrypted (using Werf secrets <https://werf.io/documentation/v1.2/advanced/helm/configuration/secrets.html>), so after discussing the encryption format Werf uses (it could perhaps be stronger, but it defaults to AES-CBC-128), this shouldn't be a problem as long as the encryption key stays secret. But I appreciate anyone raising potential security concerns! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#129 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALGOK6NLCFZ7KT52VOPVVM3THSVWDANCNFSM42N2ITIQ> .