https://bugzilla.suse.com/show_bug.cgi?id=1232548 https://bugzilla.suse.com/show_bug.cgi?id=1232548#c1 Bug ID: 1232548 Summary: VUL-0: CVE-2024-42460,CVE-2024-42461,CVE-2024-42459: deepin-manual: elliptic: Multiple vulnerabilities fixed in elliptic version 6.5.7 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/416168/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2024-42459:5.3:(AV:N/AC:L/PR:N/UI:N/ S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2024-42460:5.3:(AV:N/AC:L/PR:N/UI:N/ S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2024-42461:5.3:(AV:N/AC:L/PR:N/UI:N/ S:U/C:L/I:N/A:N) Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: gianluca.gabrielli@suse.com QA Contact: security-team@suse.de Blocks: 1232538 Target Milestone: --- Found By: --- Blocker: --- --- Comment #1 from Gianluca Gabrielli <gianluca.gabrielli@suse.com> --- CVE-2024-42459: In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended. CVE-2024-42460: In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero. CVE-2024-42461: In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. The upstream fix for all the above mentioned CVEs is accb61e [0] and was part of version 6.5.7. References: https://github.com/indutny/elliptic/pull/317 [0] https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100... -- You are receiving this mail because: You are on the CC list for the bug.