CVE-2019-14853 (https://nvd.nist.gov/vuln/detail/CVE-2019-14853): A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can be raised during signature decoding may lead to denial of service in some cases. All the versions between at least 0.5 and 0.13.2 are thought to be vulnerable. CVE-2019-14859 (https://nvd.nist.gov/vuln/detail/CVE-2019-14859): A flaw was found in python-ecdsa before 0.13.3. The library is not verifying if the signatures actually use DER encoding for the signatures. This makes the signatures malleable and exposes use cases that further sign the signatures. In particular bitcoin.
I don't see any <-deps, so let's stabilize 0.14.1.
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-14853 (https://nvd.nist.gov/vuln/detail/CVE-2019-14853): > A flaw was found in python-ecdsa. Unexpected and undocumented exceptions > can > be raised during signature decoding may lead to denial of service in some > cases. All the versions between at least 0.5 and 0.13.2 are thought to be > vulnerable. What software is actually affected by this? > CVE-2019-14859 (https://nvd.nist.gov/vuln/detail/CVE-2019-14859): > A flaw was found in python-ecdsa before 0.13.3. The library is not > verifying > if the signatures actually use DER encoding for the signatures. This makes > the signatures malleable and exposes use cases that further sign the > signatures. In particular bitcoin. Eh? DER signatures are always malleable last I checked...? Why the claim this affects Bitcoin? Bitcoin doesn't use Python, and does expect malleable signatures.
x86 stable
sparc stable
ppc64 stable
ppc stable
amd64 stable
hppa stable
ia64 stable
alpha stable
arm stable
@maintainer(s), please cleanup vulnerable versions.
FWIW, metadata.xml claims I am the sole maintainer of this package, but I have never actually maintained or agreed to maintain it AFAIR... Not sure how I ended up added to metadata.xml for this in the first place.
(In reply to Luke-Jr from comment #13) > FWIW, metadata.xml claims I am the sole maintainer of this package, but I > have never actually maintained or agreed to maintain it AFAIR... Not sure > how I ended up added to metadata.xml for this in the first place. I'll drop you when I do a cleanup PR in a bit. Very odd!
(In reply to Luke-Jr from comment #13) > FWIW, metadata.xml claims I am the sole maintainer of this package, but I > have never actually maintained or agreed to maintain it AFAIR... Not sure > how I ended up added to metadata.xml for this in the first place. You've become the sole maintainer when other maintainers resigned. You were added in 2012 in the initial commit, apparently as a dependency of net-misc/electrum. Python will take care of that package.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b1026b6ae37df29c07e90f41d3325ecf5a7168a commit 8b1026b6ae37df29c07e90f41d3325ecf5a7168a Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-19 03:10:54 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-19 06:31:42 +0000 dev-python/ecdsa: Drop the proxy-maintainer to m-n Luke-Jr does not want to be proxy maintainer of this package, and is not sure how he became it(!). See bug. Bug: https://bugs.gentoo.org/699848 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15009 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/ecdsa/metadata.xml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f24e935a113dedd77d502364ca8dfb4991269a6b commit f24e935a113dedd77d502364ca8dfb4991269a6b Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-19 03:07:31 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-19 06:31:40 +0000 dev-python/ecdsa: Drop vulnerable versions Bug: https://bugs.gentoo.org/699848 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/ecdsa/Manifest | 2 -- dev-python/ecdsa/ecdsa-0.13.2.ebuild | 23 ----------------------- dev-python/ecdsa/ecdsa-0.13.ebuild | 23 ----------------------- 3 files changed, 48 deletions(-)
Tree is clean.
Unable to check for sanity: > no match for package: dev-python/ecdsa-0.14.1
GLSA Vote: No Thank you all for you work. Closing as [noglsa].