Project

General

Profile

Actions

Bug #16792

closed

Update Two Factor plugin to 0.7.2

Added by Raymond Hoh 3 months ago. Updated 2 months ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
WordPress Plugins
Target version:
Start date:
2022-09-13
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

As Jeremy mentioned there is a new, security update for the Two Factor plugin.

The main change is https://github.com/WordPress/two-factor/pull/453. (Specifically, https://github.com/WordPress/two-factor/pull/453/commits/5ff442a9ba868ade098826d5afcf71104ac1407b.) And the two-factor plugin is now hashing the key that generates the login nonce instead of leaving it in the clear in user meta.

I don't think this necessitates pushing an update to production immediately as an attacker would need DB access in order to fetch the key. Also login nonces are deleted immediately after successful 2FA logins, so the attack vector is minimal.

I'll stage the update for 2.0.8 for now and we can make a decision whether we want to push it to production before the next maintenance update.

Actions #1

Updated by Raymond Hoh 3 months ago

  • Status changed from New to Staged for Production Release
Actions #2

Updated by Boone Gorges 2 months ago

  • Status changed from Staged for Production Release to Resolved
Actions

Also available in: Atom PDF