diff --git a/CVE-2025-59432.patch b/CVE-2025-59432.patch deleted file mode 100644 index 63a6a30bba112b0ce48d82d77c85d9ce328c1330..0000000000000000000000000000000000000000 --- a/CVE-2025-59432.patch +++ /dev/null @@ -1,82 +0,0 @@ -From e0b0cf99f05406a0d26682c72fcb5728e95124b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jorge=20Sol=C3=B3rzano?= -Date: Tue, 16 Sep 2025 19:51:50 +0200 -Subject: [PATCH] fix(security): Timing Attack Vulnerability - -A timing attack vulnerability exists in the SCRAM Java implementation. -The issue arises because Arrays.equals was used to compare secret values -such as client proofs and server signatures. Since Arrays.equals -performs a short-circuit comparison, the execution time varies depending -on how many leading bytes match. This behavior could allow an attacker -to perform a timing side-channel attack and potentially infer sensitive -authentication material. All users relying on SCRAM authentication are -impacted. - -This vulnerability has been patched by replacing Arrays.equals with -MessageDigest.isEqual, which ensures constant-time comparison. ---- - checks/forbiddenapis.txt | 2 ++ - .../main/java/com/ongres/scram/common/ScramFunctions.java | 8 ++++---- - scram-parent/pom.xml | 3 +++ - 3 files changed, 9 insertions(+), 4 deletions(-) - create mode 100644 checks/forbiddenapis.txt - -diff --git a/checks/forbiddenapis.txt b/checks/forbiddenapis.txt -new file mode 100644 -index 0000000..57bd571 ---- /dev/null -+++ b/checks/forbiddenapis.txt -@@ -0,0 +1,2 @@ -+ -+java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[]) -diff --git a/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java b/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java -index 43687c4..a129e55 100644 ---- a/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java -+++ b/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java -@@ -7,8 +7,8 @@ package com.ongres.scram.common; - - import static java.nio.charset.StandardCharsets.UTF_8; - -+import java.security.MessageDigest; - import java.security.SecureRandom; --import java.util.Arrays; - - import com.ongres.scram.common.util.Preconditions; - import org.jetbrains.annotations.NotNull; -@@ -190,8 +190,7 @@ public final class ScramFunctions { - byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage); - byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof); - byte[] computedStoredKey = hash(scramMechanism, clientKey); -- -- return Arrays.equals(storedKey, computedStoredKey); -+ return MessageDigest.isEqual(storedKey, computedStoredKey); - } - - /** -@@ -205,7 +204,8 @@ public final class ScramFunctions { - */ - public static boolean verifyServerSignature( - ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) { -- return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature); -+ byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage); -+ return MessageDigest.isEqual(serverSignature, computedServerSignature); - } - - /** -diff --git a/scram-parent/pom.xml b/scram-parent/pom.xml -index b155dae..d26323d 100644 ---- a/scram-parent/pom.xml -+++ b/scram-parent/pom.xml -@@ -530,6 +530,9 @@ - - jdk-system-out - -+ -+ ${checks.location}/forbiddenapis.txt -+ - - - --- -2.43.0 - diff --git a/ongres-scram.spec b/ongres-scram.spec index 5f2626d82470ed5ae305c6fec7a9b3bdf231478a..8226e46fb887574e180da27993b4ffadb512fc88 100644 --- a/ongres-scram.spec +++ b/ongres-scram.spec @@ -1,23 +1,17 @@ Name: ongres-scram -Version: 3.0 -Release: 2 +Version: 3.2 +Release: 1 Summary: Java Implementation for SCRAM(Salted Challenge Response Authentication Mechanism) -License: BSD +License: BSD-2-Clause URL: https://github.com/ongres/scram -Source0: https://github.com/ongres/scram/archive/3.0/scram-3.0.tar.gz +Source0: https://github.com/ongres/scram/archive/%{version}/scram-%{version}.tar.gz Patch0: 0001-convert-String-to-char-array.patch -Patch1: CVE-2025-59432.patch -BuildRequires: maven-local ongres-stringprep junit5 -BuildRequires: mvn(org.apache.maven.plugins:maven-install-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-invoker-plugin) -BuildRequires: mvn(org.jetbrains:annotations) -BuildRequires: mvn(org.apache.maven.plugins:maven-compiler-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-jar-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-resources-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-surefire-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin) -BuildRequires: mvn(org.apache.maven.plugins:maven-gpg-plugin) -BuildRequires: mvn(org.jacoco:jacoco-maven-plugin) +BuildRequires: maven-local +BuildRequires: jurand +BuildRequires: mvn(com.ongres.stringprep:saslprep) +BuildRequires: mvn(org.junit.jupiter:junit-jupiter) +BuildRequires: java-11-openjdk-devel +Requires: java-11-openjdk BuildArch: noarch Provides: mvn(com.ongres.scram:common) = %{version} @@ -50,21 +44,29 @@ Provides: mvn(com.ongres.scram:parent:pom:) = %{version} This package contains the ongres-scram parent POM. %prep -%autosetup -p1 -n "scram-3.0" -%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin scram-client -%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin scram-common -%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin scram-parent -%pom_remove_plugin :nexus-staging-maven-plugin scram-parent -%pom_remove_plugin :maven-source-plugin scram-parent -%pom_remove_plugin -r :maven-javadoc-plugin scram-parent -%pom_remove_plugin -r :cyclonedx-maven-plugin scram-parent -%pom_remove_plugin -r :maven-deploy-plugin scram-parent -%pom_remove_plugin -r :maven-enforcer-plugin scram-parent -%pom_change_dep org.junit.jupiter:junit-jupiter org.junit.jupiter:junit-jupiter-api scram-parent -rm -rf scram-common/src/test/java/com/ongres/scram/common/UsAsciiUtilsTest.java +%autosetup -p1 -n scram-%{version} + +find \( -name '*.jar' -o -name '*.class' \) -delete + +%pom_remove_plugin -r :maven-javadoc-plugin +%pom_remove_plugin -r :maven-enforcer-plugin +%pom_remove_plugin -r :flatten-maven-plugin +%pom_remove_plugin -r :maven-invoker-plugin +%pom_remove_plugin :maven-resources-plugin scram-parent + +%pom_remove_dep org.jetbrains:annotations scram-parent + +%java_remove_annotations . -s -n NotNull -n Unmodifiable -n Nullable + +%pom_xpath_inject 'pom:plugin[pom:artifactId = "maven-jar-plugin"]/pom:configuration/pom:archive' ' + + true + +' scram-parent %build -%mvn_build -s +export JAVA_HOME=%{_jvmdir}/java-11-openjdk +%mvn_build -f -s %install %mvn_install @@ -81,6 +83,13 @@ rm -rf scram-common/src/test/java/com/ongres/scram/common/UsAsciiUtilsTest.java %files parent -f .mfiles-scram-parent %changelog +* Wed Oct 15 2025 yaoxin <1024769339@qq.com> - 3.2-1 +- Update to 3.2: + * Fix Timing Attack Vulnerability in SCRAM Authentication + * Update of the saslprep dependency to 2.2 + * Added coverage report module + * Remove nexus-staging-maven-plugin + * Wed Sep 24 2025 jinshuaiyu - 3.0-2 - fix CVE-2025-59432 - fix(security): Timing Attack Vulnerability diff --git a/scram-3.0.tar.gz b/scram-3.0.tar.gz deleted file mode 100644 index f751f5e255677899d391baec2dab3a345c0ee540..0000000000000000000000000000000000000000 Binary files a/scram-3.0.tar.gz and /dev/null differ diff --git a/scram-3.2.tar.gz b/scram-3.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e5f8e9f04b0478dc9b54c8610bf581714fac138c Binary files /dev/null and b/scram-3.2.tar.gz differ