Fix CVE-2020-36843 by rejecting malleable signatures wih s>=L.#96
Fix CVE-2020-36843 by rejecting malleable signatures wih s>=L.#96wglas85 wants to merge 1 commit intostr4d:masterfrom
Conversation
|
Thanks! |
|
Hopefully @str4d is still able to release the project in 2025 and publish it to maven central again. 👍 |
|
@str4d could you please review and hopefully merge this PR? |
|
@str4d any news on when we can expect a merge in autumn 2025? |
|
@str4d could you please give us an update on when we can expect when this PR will be merged? |
@str4d So, please let's merge and release ecdsa-0.3.1 TIA Wolfgang |
|
@wglas85, I've contacted "str4d" over Bluesky communicator, but he hasn't responded me back. My company also relies on that code and we need to patch this vuln. What I've done instead: I pulled the code and compiled it myself into a .jar and source.jar files. Right now, I need to make sure, it works as expected and no regression will result from it. |
3 participants
This PR fixes CVE-2020-36843 and #95
I did my best to make the project compile and test under openjdk-17 with minimal modifications.
I had to drop support for java-1.7 but hopefully retained compatibility with java-8.
TIA for starting the discussion on this contribution, so that we get this old CVE fixed in 2025.