CVE-2020-36843:
The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.
Among the 3 debian patches
available in version 0.3.0-2.1 of the package,
we noticed the following issues:
1 patch
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.2 instead of
4.7.0).
Migration status for libeddsa-java (0.3.0-2 to 0.3.0-2.1): Waiting for test results or another package, or too young (no action required now - check later)
Issues preventing migration:
∙ ∙ Too young, only 4 of 5 days old
Additional info:
∙ ∙ Updating libeddsa-java will fix bugs in testing: #1100993
![[bug history graph]](https://qa.debian.org/data/bts/graphs/libe/libeddsa-java.png){kind=link}