Bug #16792: Update Two Factor plugin to 0.7.2 - CUNY Academic Commons - CUNY Graduate Center - Project Tracking System

Actions

Copy link

Bug #16792

closed

Update Two Factor plugin to 0.7.2

Added by Raymond Hoh over 1 year ago. Updated over 1 year ago.

Status:

Resolved

Priority name:

Normal

Assignee:

Raymond Hoh

Category name:

WordPress Plugins

Target version:

2.0.8

Start date:

2022-09-13

Due date:

% Done:

Estimated time:

Deployment actions:

Description

As Jeremy mentioned there is a new, security update for the Two Factor plugin.

The main change is https://github.com/WordPress/two-factor/pull/453. (Specifically, https://github.com/WordPress/two-factor/pull/453/commits/5ff442a9ba868ade098826d5afcf71104ac1407b.) And the two-factor plugin is now hashing the key that generates the login nonce instead of leaving it in the clear in user meta.

I don't think this necessitates pushing an update to production immediately as an attacker would need DB access in order to fetch the key. Also login nonces are deleted immediately after successful 2FA logins, so the attack vector is minimal.

I'll stage the update for 2.0.8 for now and we can make a decision whether we want to push it to production before the next maintenance update.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

CUNY Academic Commons

Custom queries

Bug #16792

Update Two Factor plugin to 0.7.2

Updated by Raymond Hoh over 1 year ago

Updated by Boone Gorges over 1 year ago