Upgrade devise-two-factor and devise-pbkdf2-encryptable (!190571) · Merge requests · GitLab.org / GitLab

What?

Upgrades devise-two-factor and devise-pbkdf2

Why?

Our devise-two-factor version 4.1.1 has these 2 vulnerabilities:
- Brute force attacks must be mitigated (TOTP bypass)
- Insufficient Default OTP Shared Secret Length
Our devise-pbkdf2 vendored gem depends on devise-two-factor version 4.1.1 so it also has to be updated

How to set up and validate locally

pbkdf2 is the fallback of bcrypt and is used in FIDO_mode

Follow these steps to verify.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Upgrade devise-two-factor and devise-pbkdf2-encryptable

What?

Why?

How to set up and validate locally

MR acceptance checklist

Merge request reports