Your message dated Fri, 21 Mar 2025 19:12:58 +0000
with message-id <e1tvhne-001dtl...@fasolo.debian.org>
and subject line Bug#1100993: fixed in libeddsa-java 0.3.0-2.1
has caused the Debian Bug report #1100993,
regarding libeddsa-java: CVE-2020-36843
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100993
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libeddsa-java
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libeddsa-java.
CVE-2020-36843[0]:
| The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through
| 0.3.0 exhibits signature malleability and does not satisfy the SUF-
| CMA (Strong Existential Unforgeability under Chosen Message Attacks)
| property. This allows attackers to create new valid signatures
| different from previous signatures for a known message.
https://github.com/str4d/ed25519-java/pull/82
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-36843
https://www.cve.org/CVERecord?id=CVE-2020-36843
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libeddsa-java
Source-Version: 0.3.0-2.1
Done: Bastian Germann <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libeddsa-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <b...@debian.org> (supplier of updated libeddsa-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Mar 2025 19:30:49 +0100
Source: libeddsa-java
Architecture: source
Version: 0.3.0-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Bastian Germann <b...@debian.org>
Closes: 1100993
Changes:
libeddsa-java (0.3.0-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2020-36843 (Closes: #1100993)
Checksums-Sha1:
74b404a57b689f2158925f2c2b973d5d1096a410 1917 libeddsa-java_0.3.0-2.1.dsc
254addc1d1efe21c5601f29358804e63f01e5ca7 3892
libeddsa-java_0.3.0-2.1.debian.tar.xz
b5e200d12805add1c1f1772d138eff6f73f934af 13710
libeddsa-java_0.3.0-2.1_source.buildinfo
Checksums-Sha256:
4bdde1e97a5aa9a9e9526bba4ec89c864b5b3c6c3e592ca870b3191692187704 1917
libeddsa-java_0.3.0-2.1.dsc
c57149c097cb46524404de718b75218139d07d9ce6962c3578efd16038878d5a 3892
libeddsa-java_0.3.0-2.1.debian.tar.xz
44dc0ebb6149c29f702a363f9059c685b662811eda9dba934f5af62dfa7c9403 13710
libeddsa-java_0.3.0-2.1_source.buildinfo
Files:
6c6d6a02ec45ce4186713a9565637137 1917 java optional libeddsa-java_0.3.0-2.1.dsc
f881ec5b06233abed368c034690fd9b5 3892 java optional
libeddsa-java_0.3.0-2.1.debian.tar.xz
d7e9b4cda7971feb45951982e3cb71fa 13710 java optional
libeddsa-java_0.3.0-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmfdsLQQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFBxnC/49fkRHhCp2unogid1waJn/zDVApCo/kiz2
ND4NLbl4AzxAwbZuSB/OkIoDDDhaR1ecZMgaJeuC4J5kJbjxXB14wcbThiaCxbic
PtAa60muh2M6GLfsepUbV1nCcyQTQTtdIzqCOVFwDPeDNug3WVdBy8Db4kFTeC3I
14ve3rUI9sMfedrTXnHGCCWsfgkUkXrUNjRCJyvkrm7FtO0Rmu8ReceBj/BZkDWj
MrbKQ+TRnA5xPrloYgxD2UIPFaX/TNPmmKY96Lc24KP4uHlAMdVllYMh5EDsTyny
CceJhbjI9tXIvZI2GyUYBBKL+LFMsSD9/0bffzZLeBdAj+fgY7uXDt81ihoQqlFK
oiC2/gCCjzgZntSZU4A0pAYd27gQ3vtzCFvOsgeBkm3jazqJz9/a8kS6UYSMhP7x
uBqziXbh+d+qSUytyvnIeuc6GUUNfpNjQi2foG1NC2sjsZa8Axg6gesQNnUSMvTM
mpMfIH+Wf1z94lSXfzPU83RP4/zjCag=
=71oF
-----END PGP SIGNATURE-----
pgpKE7RlnOLHL.pgp
Description: PGP signature
--- End Message ---
