The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists. https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp https://minerva.crocs.fi.muni.cz/ https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
Created python-ecdsa tracking bugs for this issue: Affects: epel-all [bug 2259781] Affects: fedora-all [bug 2259782]
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878