Your message dated Mon, 07 Oct 2024 11:11:22 +0000
with message-id <e1sxle6-00gydx...@fasolo.debian.org>
and subject line Bug#1077821: fixed in node-elliptic 6.5.7+dfsg-1
has caused the Debian Bug report #1077821,
regarding node-elliptic: CVE-2024-42459 CVE-2024-42460 CVE-2024-42461
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-elliptic
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for node-elliptic.
CVE-2024-42459[0]:
| In the Elliptic package 6.5.6 for Node.js, EDDSA signature
| malleability occurs because there is a missing signature length
| check, and thus zero-valued bytes can be removed or appended.
CVE-2024-42460[1]:
| In the Elliptic package 6.5.6 for Node.js, ECDSA signature
| malleability occurs because there is a missing check for whether the
| leading bit of r and s is zero.
CVE-2024-42461[2]:
| In the Elliptic package 6.5.6 for Node.js, ECDSA signature
| malleability occurs because BER-encoded signatures are allowed.
All addressed by https://github.com/indutny/elliptic/pull/317
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-42459
https://www.cve.org/CVERecord?id=CVE-2024-42459
[1] https://security-tracker.debian.org/tracker/CVE-2024-42460
https://www.cve.org/CVERecord?id=CVE-2024-42460
[2] https://security-tracker.debian.org/tracker/CVE-2024-42461
https://www.cve.org/CVERecord?id=CVE-2024-42461
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-elliptic
Source-Version: 6.5.7+dfsg-1
Done: ghostman-pac <asifp3...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
node-elliptic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ghostman-pac <asifp3...@gmail.com> (supplier of updated node-elliptic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Oct 2024 21:40:21 +0530
Source: node-elliptic
Architecture: source
Version: 6.5.7+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: ghostman-pac <asifp3...@gmail.com>
Closes: 1077821
Changes:
node-elliptic (6.5.7+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 6.5.7~dfsg
+(Closes: #1077821)(Fixes: CVE-2024-42459 CVE-2024-42460 CVE-2024-42461)
* Updated the rules to check for DEB_BUILD_OPTIONS for skipping tests
* Bumped standards version to 4.7.0, no changes needed.
* New upstream version 6.5.7+dfsg
* repack to 6.5.7+dfsg from 6.5.7~dfsg
Checksums-Sha1:
f4758f6e35ca02dfe8110501ef48e61354ddd8fa 2329 node-elliptic_6.5.7+dfsg-1.dsc
7d4a0e174f0b3302ffbb1cb79a791411b7375d5b 857024
node-elliptic_6.5.7+dfsg.orig.tar.xz
a898321304b5b9a1ca12b30e6b7e804419a98be9 4228
node-elliptic_6.5.7+dfsg-1.debian.tar.xz
09d2016028a0f0901aeb96ede39c2f18ef7c7ee0 14873
node-elliptic_6.5.7+dfsg-1_amd64.buildinfo
Checksums-Sha256:
bfcdad69e641fb0052a3e10bec34b0bff8175991c8932277de1c2bf1b6087f7e 2329
node-elliptic_6.5.7+dfsg-1.dsc
cf83b812c272d84238e1c96acfedd872fdb065ecd782d75f74945932ec83c670 857024
node-elliptic_6.5.7+dfsg.orig.tar.xz
a133cd9f50dfef5fbcc515b8f51cb7f19087771f419fd1424466b6a3649ee18d 4228
node-elliptic_6.5.7+dfsg-1.debian.tar.xz
b00778215cb96e2809dc76ecddbf876748b7e865c880c72976b3213745e07683 14873
node-elliptic_6.5.7+dfsg-1_amd64.buildinfo
Files:
b863ca7d852e6943dc0e6e8ada205d7d 2329 javascript optional
node-elliptic_6.5.7+dfsg-1.dsc
21e1f2c7ea76879767baca69fe5d7f7c 857024 javascript optional
node-elliptic_6.5.7+dfsg.orig.tar.xz
edde4f9d17d2260a1e9a606ee18e7a96 4228 javascript optional
node-elliptic_6.5.7+dfsg-1.debian.tar.xz
15bc59743b895b5f832c87a46e0fb2b3 14873 javascript optional
node-elliptic_6.5.7+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmcC0TsACgkQj1PgGTsp
S3XJjA/5AfcsnN++mDHhqEhIn3KkAc4d+eeN+ZdXQm9+0WMSzZZZOltFOlx7fgSD
hRj2r+LpB9CFRC9pdQhyskyHeM+Jkd15ntz30iuYsc1CyF6Wy8qMViXFtqVwviJP
YSVHPTf51x34+kVGrVYAkM3k1ZDHdy+707m4yINtX/EUKEeoMY+YVzUnXWc1GKa/
Y69iplg/591XbrAw5VyZI+wHB/sOrDIoQVqlJwMF8viHkaQLDttK1/jWy3LIdGy1
CxrGRttk5lo+AxhNOb/rliM/hMab8Cyo3n55AWdSoVrBSGv7RJ/ldKkNI4VPmeRz
sYofgoazxMZLnxdImw6snYJFw+QpGoCynpqKTNOs/YyNvrSNGaBRIR3LJAMcVSt6
zWbIZ624GNdvrNETTYF+2xYiyyVwz2gc1syrS+7+DsduRX6imfZE++xh2ZC8qZFh
Br2ZlrERERAAgAu/YzweBOVLulUNGHK6uk5ZiUPgHlAps2cz1sR01ZcKaxbLXc3W
PCYgW8XHZcY6ObCKsxbmqYLHdjDv4LtsHk0dQI8MO3jRF8J/9LdBKjLeYr7es80f
GQll2tVysVUGeKwbzmMyCxmECviw2uVWoFk5ySa8e16tTvA65rmdp+dUwInKrh63
PLTciRJokV+lNgAd3R8nRbCk1VKAEDjjVwl8N9nZFpArXZZpJU0=
=aEp4
-----END PGP SIGNATURE-----
pgpvvAlfCn3N5.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
