Bug 2302460 (CVE-2024-42461)
| Summary: | CVE-2024-42461 elliptic: nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abarbaro, akostadi, alcohan, amasferr, anjoseph, anpicker, asoldano, bbaranow, bdettelb, bmaxwell, bparees, brainfor, brian.stansberry, caswilli, cbartlet, cdewolf, chazlett, ckandaga, cmiranda, crizzo, darran.lofthouse, dhanak, dkreling, dmayorov, doconnor, dosoudil, drosa, dsimansk, eric.wittmann, fjuma, gkamathe, gmalinko, gotiwari, gparvin, hasun, hkataria, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jchui, jfula, jgrulich, jhe, jhorak, jlledo, jowilson, jprabhak, jrokos, jwendell, kaycoth, kingland, kshier, ktsao, kverlaen, lbainbri, lchilton, lgao, lsharar, matzew, mjaros, mmakovy, mnovotny, mosmerov, msochure, msvehla, mvyas, nboldt, nipatil, njean, nwallace, nyancey, ometelka, owatkins, pahickey, pantinor, pcongius, pdelbell, pesilva, pierdipi, pjindal, pmackay, psrna, ptisnovs, pvasanth, rcernich, rguimara, rhaigner, rhuss, rkubis, rojacob, rstancel, rstepani, rtaniwa, sausingh, sdawley, sfeifer, smaestri, syedriko, teagle, tjochec, tkral, tom.jenkinson, tpopela, twalsh, wtam, xdharmai |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Elliptic package for Node.js. ECDSA signatures encoded in BER format are improperly validated, allowing leading zeros to be added to the signature without invalidating it, resulting in confidentiality issues.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2303237, 2303221, 2303222, 2303223, 2303224, 2303225 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2024-08-02 07:20:41 UTC
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.5 for RHEL 8 multicluster engine for Kubernetes 2.5 for RHEL 9 Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.6 for RHEL 9 multicluster engine for Kubernetes 2.6 for RHEL 8 Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994 |