Debian Bug report logs -
#963149
node-elliptic: CVE-2020-13822
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#963149; Package src:node-elliptic.
(Fri, 19 Jun 2020 17:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 19 Jun 2020 17:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-elliptic
Version: 6.5.1~dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/indutny/elliptic/issues/226
Hi,
The following vulnerability was published for node-elliptic.
CVE-2020-13822[0]:
| The Elliptic package 6.5.2 for Node.js allows ECDSA signature
| malleability via variations in encoding, leading '\0' bytes, or
| integer overflows. This could conceivably have a security-relevant
| impact if an application relied on a single canonical signature.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13822
[1] https://github.com/indutny/elliptic/issues/226
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Fri, 19 Jun 2020 18:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Jun 2020 18:09:03 GMT) (full text, mbox, link).
Message #10 received at 963149-close@bugs.debian.org (full text, mbox, reply):
Source: node-elliptic
Source-Version: 6.5.3~dfsg-1
Done: Jonas Smedegaard <dr@jones.dk>
We believe that the bug you reported is fixed in the latest version of
node-elliptic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 963149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated node-elliptic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Jun 2020 19:34:40 +0200
Source: node-elliptic
Architecture: source
Version: 6.5.3~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 963149
Changes:
node-elliptic (6.5.3~dfsg-1) unstable; urgency=high
.
[ upstream ]
* new release
+ signature: prevent malleability and overflows
closes: bug#963149 (CVE-2020-13822),
thanks to Salvatore Bonaccorso
.
[ Debian Janitor ]
* set upstream metadata fields: Bug-Database Bug-Submit
.
[ Jonas Smedegaard ]
* set urgency=high, due to CVE fix
Checksums-Sha1:
7671051551210d4797c6f99c022a6e6aae0f660e 2322 node-elliptic_6.5.3~dfsg-1.dsc
1b9f9d3d3861977fbfb019c2b529f46b2c66b39e 847492 node-elliptic_6.5.3~dfsg.orig.tar.xz
2729efa0ac5ab768ac76289da910fa5c53c1d7e4 3872 node-elliptic_6.5.3~dfsg-1.debian.tar.xz
d4b13c9d58e68d81fcea88cd1e89dc7352ffcf9c 9365 node-elliptic_6.5.3~dfsg-1_amd64.buildinfo
Checksums-Sha256:
f1155fc664a96c724366764ca0bbd3d5fa39607d82feea47df889431f61b16c2 2322 node-elliptic_6.5.3~dfsg-1.dsc
0918673babcdcdc2203a9f27bb2dd26fc400eecbd1b3a7c0c100a1fd2b444c3d 847492 node-elliptic_6.5.3~dfsg.orig.tar.xz
b759addbb2331e4dc91926b9ab87173b8e7198972da0ca2a43e39f1774245e89 3872 node-elliptic_6.5.3~dfsg-1.debian.tar.xz
d8e9ea41c12fdb4d8a10418fca81f186ad5b965bff998d497b950afef718a5c7 9365 node-elliptic_6.5.3~dfsg-1_amd64.buildinfo
Files:
850fef09e8482fd8283921737a981487 2322 web optional node-elliptic_6.5.3~dfsg-1.dsc
c82ba6341896c0ff9f7b0e1c6b0b595e 847492 web optional node-elliptic_6.5.3~dfsg.orig.tar.xz
3852fe10f71acc7426e83a2121a3a8f3 3872 web optional node-elliptic_6.5.3~dfsg-1.debian.tar.xz
bb8935cdbeaa5cb28be9166ed2927ed1 9365 web optional node-elliptic_6.5.3~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl7s+RgACgkQLHwxRsGg
ASG0xw//caEXOEo+s1bq9SfYYLqsC/o8TLjvIJKoDNtfHnQeZm2U8AmkmK/VgMqv
ude5QXojVvBQMnIIReKKr1XG1oAESAkQrC1pBHS4THI+MbLMXgefXOicUnsnDAgu
cXI7cbpYoAZqeuEiLH2mgsJlUMDW4SBAlcYvskyXkARn/9LG1S9Iqg6074EF4lOK
iArMoAqzrA+etibN1AKd8ZlqlphQF8Ov4aSy+EgVThq5GYe0Bz082tB5Gs6kTJUK
cGUJREc/TD66D6CzWGennZwlrVBeeUWrvz+ZNKqSWYfma8KXdgAWF3DRtIYKsUvK
7hlVWg9cXIZDg5zE5uKfl86elEG9frJmxTDPR07jkOUYVp27+zX6WPCAByINSIkB
T4FGNfY7F7dHsdhy7C1HtlJGDT++eax6r4wZ17e8GJPOgSnsq81JGRJprxbmmV48
7OoZ4k5V0QjU0XNTiqIjIs5khTULWmwRZ3Z45n9e7ZYO7+dqzJw0Wx1tPStRJmOr
G+dg59RIxmInGtrt2csNmvphxDF+8QrZ0wYpdwLxVJFjBL/4zPxEu7BMYK4EV+eu
p6g4wjK67s31DVEjC02P3746GWFoyvSqvGeXDvHQlyfoTsO5zW3XujGKWTasnrk3
OsYGyTyIFlmOgs2x2kq9w6i5iGzku2/pBCP98a6MYI0uEbNQn8I=
=Ftnz
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 20 13:40:52 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon