2302458 – (CVE-2024-42459) CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to missing signature length check

Bug 2302458 (CVE-2024-42459) - CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to missing signature length check

Summary: CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to...

Keywords:
Status:	NEW
Alias:	CVE-2024-42459
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2303781 2303782 2303783 2303784 2303785 2303787
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-02 07:20 UTC by OSIDB Bzimport
Modified:	2025-04-18 08:27 UTC (History)
CC List:	97 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:6738	None	None	None	2024-09-17 19:47:43 UTC
Red Hat Product Errata	RHSA-2024:6779	None	None	None	2024-09-18 19:22:28 UTC
Red Hat Product Errata	RHSA-2024:7759	None	None	None	2024-10-07 15:27:55 UTC
Red Hat Product Errata	RHSA-2024:7994	None	None	None	2024-10-11 01:44:41 UTC

Description OSIDB Bzimport 2024-08-02 07:20:36 UTC

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Comment 1 Alberto Gutierrez 2024-08-14 08:38:27 UTC

https://github.com/indutny/elliptic/pull/317 was merged 6 hours ago bumping th version to the 6.5.7 fixing:

CVE-2024-42459
CVE-2024-42460
CVE-2024-42461

NPM library published https://www.npmjs.com/package/elliptic

Comment 2 errata-xmlrpc 2024-09-17 19:47:42 UTC

This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738

Comment 3 errata-xmlrpc 2024-09-18 19:22:27 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779

Comment 5 errata-xmlrpc 2024-10-07 15:27:54 UTC

This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 9
  multicluster engine for Kubernetes 2.6 for RHEL 8

Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759

Comment 6 errata-xmlrpc 2024-10-11 01:44:40 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
agutierr
akostadi
alcohan
amasferr
anjoseph
asoldano
bbaranow
bdettelb
bmaxwell
brian.stansberry
caswilli
cbartlet
cdaley
cdewolf
chazlett
ckandaga
cmiranda
crizzo
darran.lofthouse
dhanak
dkreling
dmayorov
doconnor
dosoudil
dsimansk
ecerquei
erack
fjuma
gkamathe
gmalinko
gotiwari
gparvin
hkataria
ibek
istudens
ivassile
iweiss
janstey
jcantril
jchui
jhe
jhorak
jlledo
jprabhak
jrokos
jwendell
kaycoth
kingland
kshier
ktsao
kverlaen
lbainbri
lchilton
lgao
matzew
mjaros
mkudlej
mmakovy
mnovotny
mosmerov
msochure
msvehla
mvyas
nboldt
njean
nwallace
owatkins
pahickey
pcongius
pdelbell
pesilva
pierdipi
pjindal
pmackay
psrna
pvasanth
rcernich
rguimara
rhaigner
rhuss
rojacob
rstancel
rstepani
rtaniwa
sausingh
sdawley
sfeifer
skontopo
smaestri
teagle
tjochec
tkral
tom.jenkinson
tpopela
twalsh
wtam