Bug#1100993: libeddsa-java: CVE-2020-36843
Moritz Mühlenhoff
jmm at inutil.org
Fri Mar 21 13:27:23 GMT 2025
Source: libeddsa-java
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libeddsa-java.
CVE-2020-36843[0]:
| The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through
| 0.3.0 exhibits signature malleability and does not satisfy the SUF-
| CMA (Strong Existential Unforgeability under Chosen Message Attacks)
| property. This allows attackers to create new valid signatures
| different from previous signatures for a known message.
https://github.com/str4d/ed25519-java/pull/82
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-36843
https://www.cve.org/CVERecord?id=CVE-2020-36843
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list