2302459 – (CVE-2024-42460) CVE-2024-42460 elliptic: nodejs/elliptic: ECDSA signature malleability due to missing checks

Bug 2302459 (CVE-2024-42460) - CVE-2024-42460 elliptic: nodejs/elliptic: ECDSA signature malleability due to missing checks

Summary: CVE-2024-42460 elliptic: nodejs/elliptic: ECDSA signature malleability due to...

Keywords:
Status:	NEW
Alias:	CVE-2024-42460
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2303537 2303538 2303539 2303540 2303541 2303542
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-02 07:20 UTC by OSIDB Bzimport
Modified:	2025-06-01 08:27 UTC (History)
CC List:	97 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:6738	None	None	None	2024-09-17 19:47:46 UTC
Red Hat Product Errata	RHSA-2024:6779	None	None	None	2024-09-18 19:22:28 UTC
Red Hat Product Errata	RHSA-2024:7759	None	None	None	2024-10-07 15:27:55 UTC
Red Hat Product Errata	RHSA-2024:7994	None	None	None	2024-10-11 01:44:41 UTC

Description OSIDB Bzimport 2024-08-02 07:20:39 UTC

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Comment 1 Alberto Gutierrez 2024-08-14 08:53:43 UTC

https://github.com/indutny/elliptic/pull/317 was merged 6 hours ago bumping th version to the 6.5.7 fixing:

CVE-2024-42459
CVE-2024-42460
CVE-2024-42461

NPM library published https://www.npmjs.com/package/elliptic

Comment 2 errata-xmlrpc 2024-09-17 19:47:45 UTC

This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738

Comment 3 errata-xmlrpc 2024-09-18 19:22:28 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779

Comment 5 errata-xmlrpc 2024-10-07 15:27:55 UTC

This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 9
  multicluster engine for Kubernetes 2.6 for RHEL 8

Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759

Comment 6 errata-xmlrpc 2024-10-11 01:44:40 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
agutierr
alcohan
anjoseph
anpicker
asoldano
bbaranow
bdettelb
bmaxwell
bparees
brainfor
brian.stansberry
caswilli
cdaley
cdewolf
chazlett
ckandaga
cmiranda
darran.lofthouse
dhanak
dkreling
doconnor
dosoudil
dsimansk
ecerquei
erack
fjuma
gkamathe
gmalinko
gotiwari
gparvin
hasun
hkataria
ibek
istudens
ivassile
iweiss
janstey
jcantril
jchui
jfula
jhe
jhorak
jowilson
jprabhak
jrokos
jwendell
kaycoth
kingland
kshier
ktsao
kverlaen
lbainbri
lchilton
lgao
lsharar
matzew
mnovotny
mosmerov
msochure
msvehla
mvyas
nboldt
njean
nwallace
nyancey
ometelka
owatkins
pahickey
pcongius
pdelbell
pesilva
pierdipi
pjindal
pmackay
psrna
ptisnovs
pvasanth
rcernich
rguimara
rhaigner
rhuss
rojacob
rstancel
rstepani
rtaniwa
sdawley
sfeifer
smaestri
syedriko
teagle
tkral
tom.jenkinson
tpopela
twalsh
wtam
xdharmai