After logging out of the Admin Console, anyone retaining the deleted login cookie could still use the system.
None. This issue was resolved shortly after receipt. Login cookies no longer work after a logout event.
Thanks to Jayesh Patel for this report on 8/4/18 and to Sumit Jain who reported it a short time later.
Missing SPF records on subdomains
Certain ironcorelabs.com subdomains were lacking SPF records.
Thanks to Shivam Lohani for the report.
A CORS misconfiguration was detected on IronCore's primary website.
The endpoint in question was part of the web hosting platform and has since been disabled.
Thanks to Shubham Garg for this report.
Regression reducing the randomness for some operations
The randomness of some operations was reduced after a regression was introduced in recrypt-rs 0.8.0. Affected 256-bit operations were:
480-bit operations were not affected.
Secondary (due to dependency on vulnerable recrypt-rs):
All impacted versions have been removed from distribution and patch version bumps with the fix have been released.
A CVE notice will be forthcoming.
We recommend that all users upgrade as soon as possible. Furthermore, we recommend that any keys generated while using a vulnerable library be regenerated if they're used for production purposes. Please note that all encryption operations generate per-object keys as part of encryption, so we recommend that all documents encrypted using these versions of the SDKs be re-encrypted using new document IDs. Groups created using these versions of the SDKs should be re-created, and any data encrypted to the old groups should be encrypted to the new ones.
This issue was found by our team during internal testing.