A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can be raised during signature decoding may lead to denial of service in some cases. All the versions between at least 0.5 and 0.13.2 are thought to be vulnerable. Upstream issue: https://github.com/warner/python-ecdsa/issues/114 Upstream patch: https://github.com/warner/python-ecdsa/pull/115 References: https://github.com/warner/python-ecdsa/blob/bb359d32e93acc3eb4d216aff4ba0e7531599cfb/ecdsa/keys.py#L98-L113
Created python-ecdsa tracking bugs for this issue: Affects: epel-all [bug 1758706] Affects: fedora-all [bug 1758705]
Version 0.13.3 of the library, that addresses this issue has been released: * https://pypi.org/project/ecdsa/0.13.3/ * https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
Statement: Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time. Current releases of Red Hat Virtualization Manager no longer includes python-ecdsa as a dependency. While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.
Red Hat CloudForms Management Engine 5.9 (4.6), 5.10 (4.7) and 5.11 (5.0) is not affected since we don't ship python-ecdsa. Cloudforms 5.8 (4.5) however vulnerable but unsupported by Red Hat by December 1, 2019.
External References: https://github.com/advisories/GHSA-pwfw-mgfj-7g3g
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702