WordPress.org
Get WordPress

Make WordPress Core

Opened 7 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#64462 closed task (blessed) (fixed)

Update Sodium Compat to 1.24.0

Reported by: paragoninitiativeenterprises's profile paragoninitiativeenterprises Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.9.1 Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: has-patch fixed-major dev-reviewed
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Read: https://00f.net/2025/12/30/libsodium-vulnerability/

Triggering this vulnerability would require working on the underlying internal edwards25519 code rather than the high level crypto_sign API or Ristretto255 API.

It's incredibly unlikely that anyone will actually be affected by this. Therefore, I do not believe this warrants being treated as a security issue for WordPress's purposes (i.e., requiring a confidential HackerOne ticket rather than Trac).

However, on the offchance that the unlikely happens, please make sure the update is backported to all supported WordPress versions in the next patch release. Better safe than sorry.

https://github.com/paragonie/sodium_compat/compare/v1.23.0...v1.24.0

Change History (11)

#2 @johnbillion
7 weeks ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from Awaiting Review to 7.0
  • Type changed from defect (bug) to task (blessed)
  • Version trunk deleted

Thanks for the ticket!

#3 @SergeyBiryukov
7 weeks ago

  • Description modified (diff)

This ticket was mentioned in PR #10672 on WordPress/wordpress-develop by @SergeyBiryukov.
7 weeks ago #4

  • Keywords has-patch added; needs-patch removed

Trac ticket: https://core.trac.wordpress.org/ticket/64462

#5 @SergeyBiryukov
7 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 61419:

Upgrade/Install: Update sodium_compat to v1.24.0.

The latest version includes a security fix to ensure that the public key is on the prime order subgroup.

References:

Follow-up to [55699], [58752], [58753], [60787], [60905].

Props paragoninitiativeenterprises, johnbillion, SergeyBiryukov.
Fixes #64462.

#6 @SergeyBiryukov
7 weeks ago

  • Keywords fixed-major added
  • Milestone changed from 7.0 to 6.9.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 6.9.1 consideration.

#7 @peterwilsoncc
6 weeks ago

  • Keywords dev-reviewed added

r61419 approved for merging to the 6.9 branch.

This ticket was mentioned in PR #10687 on WordPress/wordpress-develop by @jorbin.
6 weeks ago #8

Test to ensure there is a clean backport

Trac ticket: https://core.trac.wordpress.org/ticket/64462

This ticket was mentioned in Slack in #core by jorbin. View the logs.
4 weeks ago

#10 @jorbin
3 weeks ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 61533:

Upgrade/Install: Update sodium_compat to v1.24.0.

The latest version includes a security fix to ensure that the public key is on the prime order subgroup.

References:

Follow-up to [55699], [58752], [58753], [60787], [60905].

Reviewed by jorbin.
Merges [61419] to the 6.9 branch.

Props paragoninitiativeenterprises, johnbillion, SergeyBiryukov.
Fixes #64462.

Note: See TracTickets for help on using tickets.