Dependabot alerts being raised for elliptic #319
Comments
|
This seems to be the source of the Dependabot alerts: #317 |
|
Mend is flaggin this as vulnerability can this be resolved please. its causing us a lot of concerns |
Yes, our dependabot would be happy if a fix for this made it into a new release. |
|
Is there any way that we can fix this issue, as it is showing no patch available. |
|
Looks like a new
The new release is showing up on the npm repository now, so we can all likely update our projects to use it and fix these Dependabot warnings. |
|
Thanks for getting the PR merged and the new release sorted out @indutny. 😄 |
|
Happy to help, sorry for not doing it on time! |
|
No worries, they're only |
|
Closing this issue, as the new release does indeed fix the Dependabot warnings. Confirmed it in one of my project repos. |
GitHub's Dependabot has today started creating alerts in repositories using elliptic.
@indutny is this stuff (below) already on people's radar for looking into? 😄
Elliptic allows BER-encoded signatures
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
Affected versions: >= 5.2.1, <= 6.5.6
Fixed versions: None
Elliptic's ECDSA missing check for whether leading bit of r and s is zero
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
Affected versions: >= 2.0.0, <= 6.5.6
Fixed versions: None
Elliptic's EDDSA missing signature length check
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
Affected versions: >= 4.0.0, <= 6.5.6
Fixed versions: None
The text was updated successfully, but these errors were encountered: