Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged

Filter by:

With package: perl538Packages.AuthenSCRAM

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2025-59432

created 2 months, 3 weeks ago

Timing Attack Vulnerability in SCRAM Authentication

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. This vulnerability has been patched in version 3.1 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison.

References

https://github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537 x_refsource_CONFIRM
https://github.com/ongres/scram/commit/f04975680d4a67bc84cc6c61bbffd5186223e2e2 x_refsource_MISC
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte%5B%5D,byte%5B%5D) x_refsource_MISC
https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3 x_refsource_MISC

Affected products

scram

==< 3.2

Matching in nixpkgs

pkgs.perlPackages.AuthenSCRAM

Salted Challenge Response Authentication Mechanism (RFC 5802)

nixos-unstable 0.011
- nixpkgs-unstable 0.011
- nixos-unstable-small 0.011
nixos-25.11 0.011
- nixpkgs-25.11-darwin 0.011

pkgs.python312Packages.scramp

Implementation of the SCRAM authentication protocol

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.python313Packages.scramp

Implementation of the SCRAM authentication protocol

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.perl538Packages.AuthenSCRAM

Salted Challenge Response Authentication Mechanism (RFC 5802)

nixos-unstable 0.011
- nixpkgs-unstable 0.011
- nixos-unstable-small 0.011
nixos-25.11 0.011
- nixpkgs-25.11-darwin 0.011

pkgs.perl540Packages.AuthenSCRAM

Salted Challenge Response Authentication Mechanism (RFC 5802)

nixos-unstable 0.011
- nixpkgs-unstable 0.011
- nixos-unstable-small 0.011

pkgs.haskellPackages.yaml-unscrambler

Flexible declarative YAML parsing toolkit

nixos-unstable 0.1.0.19
- nixpkgs-unstable 0.1.0.19
- nixos-unstable-small 0.1.0.19
nixos-25.11 0.1.0.20
- nixpkgs-25.11-darwin 0.1.0.20

Package maintainers

@stigtsp Stig Palmquist <stig@stig.io>

1