Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Elliptic.js package from 6.5.3 to 6.5.4 #1284

Closed
wants to merge 1 commit into from
Closed

Updated Elliptic.js package from 6.5.3 to 6.5.4 #1284

wants to merge 1 commit into from

Conversation

breakabort
Copy link

Elliptic.js 6.5.4 does a check to ensure that the public key passed in to ECDH is a point that actually exists on the curve.
This prevents a twist attack which could be used to reveal the private key of a party in an ECDH operation over a number of occurances.

https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
CVE: CVE-2020-28498

@breakabort
Updated Elliptic.js package from 6.5.3 to 6.5.4
c0439e4 
Elliptic.js 6.5.4 does a check to ensure that the public key passed in to ECDH is a point that actually exists on the curve.
This prevents a twist attack which could be used to reveal the private key of a party in an ECDH operation over a number of occurances.

https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
CVE: CVE-2020-28498
@ricmoo
Copy link
Member

ricmoo commented Feb 8, 2021

I just commented on your closed PR. Sorry, didn’t see this one yet.

I’ll get to this tomorrow morning.

Thanks! :)

@ricmoo ricmoo added the on-deck This Enhancement or Bug is currently being worked on. label Feb 8, 2021
ricmoo added a commit that referenced this pull request Feb 8, 2021
@ricmoo
Bump elliptic version for CVE-2020-28498 (#1284).
796954f
@ricmoo
Copy link
Member

ricmoo commented Feb 9, 2021

Fixed in 5.0.30. Try it out and let me know if there are any issues. :)

@ricmoo ricmoo added enhancement New feature or improvement. fixed/complete This Bug is fixed or Enhancement is complete and published. and removed on-deck This Enhancement or Bug is currently being worked on. labels Feb 9, 2021
@breakabort breakabort mentioned this pull request Feb 9, 2021
Closed
@ricmoo ricmoo closed this Feb 13, 2021
This was referenced Mar 12, 2021
Closed
Merged
Closed
Closed
This was referenced Apr 11, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or improvement. fixed/complete This Bug is fixed or Enhancement is complete and published.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@breakabort @ricmoo