CVE-2020-13822

NameCVE-2020-13822
DescriptionThe Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs963149

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-elliptic (PTS)buster6.4.1~dfsg-1+deb10u1fixed
bullseye6.5.4~dfsg-1fixed
bookworm6.5.4~dfsg-2fixed
sid, trixie6.5.7+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ellipticsourcebuster6.4.1~dfsg-1+deb10u1
node-ellipticsource(unstable)6.5.3~dfsg-1963149

Notes

https://github.com/indutny/elliptic/issues/226
Search for package or bug name: Reporting problems