ed25519-java icon indicating copy to clipboard operation
ed25519-java copied to clipboard
verified publisher icon str4d

Fix CVE-2020-36843 by rejecting malleable signatures wih s>=L.

Open wglas85 opened this issue 6 months ago • 7 comments

This PR fixes CVE-2020-36843 and https://github.com/str4d/ed25519-java/issues/95 I did my best to make the project compile and test under openjdk-17 with minimal modifications. I had to drop support for java-1.7 but hopefully retained compatibility with java-8. TIA for starting the discussion on this contribution, so that we get this old CVE fixed in 2025.

wglas85 avatar Jun 27 '25 09:06 wglas85

Thanks!

arkangelboss-github avatar Jun 27 '25 17:06 arkangelboss-github

Hopefully @str4d is still able to release the project in 2025 and publish it to maven central again. 👍

wglas85 avatar Jun 27 '25 18:06 wglas85

@str4d could you please review and hopefully merge this PR? Thanks in Advance, Wolfgang

wglas85 avatar Aug 01 '25 09:08 wglas85

@str4d any news on when we can expect a merge in autumn 2025? TIA, Wolfgang

wglas85 avatar Sep 11 '25 09:09 wglas85

@str4d could you please give us an update on when we can expect when this PR will be merged? TIA, Wolfgang

wglas85 avatar Oct 29 '25 14:10 wglas85

Looks good to me!

@str4d So, please let's merge and release ecdsa-0.3.1

TIA Wolfgang

wglas85 avatar Nov 14 '25 17:11 wglas85

@wglas85, I've contacted "str4d" over Bluesky communicator, but he hasn't responded me back. My company also relies on that code and we need to patch this vuln. What I've done instead: I pulled the code and compiled it myself into a .jar and source.jar files. Right now, I need to make sure, it works as expected and no regression will result from it.

seenquev avatar Nov 14 '25 20:11 seenquev