Candidate: CVE-2020-13822
PublicDate: 2020-06-04 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13822
 https://github.com/indutny/elliptic/issues/226
 https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
 https://www.npmjs.com/package/elliptic
 https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/
Description:
 The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability
 via variations in encoding, leading '\0' bytes, or integer overflows. This
 could conceivably have a security-relevant impact if an application relied
 on a single canonical signature.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L [7.7 HIGH]


Patches_node-elliptic:
upstream_node-elliptic: needs-triage
precise/esm_node-elliptic: DNE
trusty_node-elliptic: ignored (out of standard support)
trusty/esm_node-elliptic: DNE
xenial_node-elliptic: DNE
bionic_node-elliptic: needs-triage
eoan_node-elliptic: ignored (reached end-of-life)
focal_node-elliptic: needs-triage
groovy_node-elliptic: not-affected (6.5.3~dfsg-1)
hirsute_node-elliptic: not-affected (6.5.3~dfsg-1)
impish_node-elliptic: not-affected (6.5.3~dfsg-1)
jammy_node-elliptic: not-affected (6.5.3~dfsg-1)
devel_node-elliptic: not-affected (6.5.3~dfsg-1)