In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
https://github.com/indutny/elliptic/pull/317 was merged 6 hours ago bumping th version to the 6.5.7 fixing: CVE-2024-42459 CVE-2024-42460 CVE-2024-42461 NPM library published https://www.npmjs.com/package/elliptic
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.5 for RHEL 8 multicluster engine for Kubernetes 2.5 for RHEL 9 Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.6 for RHEL 9 multicluster engine for Kubernetes 2.6 for RHEL 8 Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994