A flaw was found in python-ecdsa before 0.13.3. The library is not verifying if the signatures actually use DER encoding for the signatures. This makes the signatures malleable and exposes use cases that further sign the signatures. In particular bitcoin. Upstream issue: https://github.com/warner/python-ecdsa/issues/114 Upstream patch: https://github.com/warner/python-ecdsa/pull/115 https://github.com/warner/python-ecdsa/pull/124 References: https://en.bitcoinwiki.org/wiki/Transaction_Malleability
Created python-ecdsa tracking bugs for this issue: Affects: epel-all [bug 1760845] Affects: fedora-all [bug 1760844]
External References: https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 https://pypi.org/project/ecdsa/0.13.3/
Statement: Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time. Red Hat CloudForms 5.9, 5.10 and 5.11 is not affected as these versions no longer ship the python-ecdsa library. Only CloudForms 5.8, which is now EOL, delivered the python-ecdsa library. Current releases of Red Hat Virtualization Manager no longer include python-ecdsa as a dependency. While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended. Current releases of Red Hat Satellite no longer include python-ecdsa as a dependency. While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702