[SECURITY] [DSA 5132-1] ecdsautils security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5132-1] ecdsautils security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 8 May 2022 19:11:04 +0000
Message-id: <[🔎] 20220508191104.GA12626@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5132-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 08, 2022                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ecdsautils
CVE ID         : CVE-2022-24884

It was discovered that ecdsautils, a collection of ECDSA elliptic curve
cryptography CLI tools verified some cryptographic signatures incorrectly:
A signature consisting only of zeroes was always considered valid,
making it trivial to forge signatures.

For the oldstable distribution (buster), this problem has been fixed
in version 0.3.2+git20151018-2+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 0.3.2+git20151018-2+deb11u1.

We recommend that you upgrade your ecdsautils packages.

For the detailed security status of ecdsautils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ecdsautils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJ4FFEACgkQEMKTtsN8
TjYO9hAAjAKD3Xxs4N1zf5ANmW12mYfeMwfVPKX/X935afJ8HVj+EV8t5xY6a3bL
aMIPTYJTLMzlGCqqW6nRRAO6U3wa19jJ/we6KSGusRH8hf5yKMU0CT4JZtp85q8h
xQMsVNry1LjEIhlJLiEX/+l5th2KZZ/XtweL3ZhpqR7LeJpUClJ/u4m0T6yL6czt
8jAwUN+hB4lGJBFI7656UFLE1ck7+KEjiDL66YM22HtamjOpwaR3D4KhMKJtbuoZ
nqde4YM0d+VzaVerbrIkrKcr0O51PQDjjYgmS6nQunrEMOiZYMDQM3EJWtul4NIh
uBs+szC5U/F+5vV4V8zQlAJ+xmZoNB/enPnwexRabt0j0qYXMe2SJXMjgNFTJtZG
WiUgqfWxy/kcOG1O2hoVTsCr4AK7VDTdebpThqUEH+I61cx9V6RdX5K5zvXqU1Nm
SlBdCj5SFLaC6Y5aYpkot5fJ6AZM1kneyVxjbacs4rRpsQ0zkSBnMkSEsTTgtiH+
kyr5qFet39hzUJ2e3k/P/qtvIMsDvwaF45G3yE01S1/rrBZLtpG9PdtU86pNYkhC
cRqu2G0NRHPi2hb+/nscbGhotn2QWwwoOIwX1K0yR7C5rK4x2864kYcZLNMN2ZTd
yJvT4Krr1XImRIekcgRO3oYigvCQwq8rnCo1HFjuLxcW1xTYi/Y=
=PwJV
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5131-1] openjdk-11 security update
Next by Date: [SECURITY] [DSA 5133-1] qemu security update
Previous by thread: [SECURITY] [DSA 5131-1] openjdk-11 security update
Next by thread: [SECURITY] [DSA 5133-1] qemu security update
Index(es):
- Date
- Thread