{"schema_version":"1.7.2","id":"OESA-2025-1334","modified":"2025-03-29T06:22:47Z","published":"2025-03-29T06:22:47Z","upstream":["CVE-2020-36843"],"summary":"ed25519-java security update","details":"This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see http://ed25519.cr.yp.to/software.html). There are two internal implementations: * A port of the radix-2^51 operations in ref10   - fast and constant-time, but only useful for Ed25519. * A generic version using BigIntegers for calculation   - a bit slower and not constant-time, but compatible     with any EdDSA parameter specification.\r\n\r\nSecurity Fix(es):\n\nThe implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.(CVE-2020-36843)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"ed25519-java","purl":"pkg:rpm/openEuler/ed25519-java\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.0-5.oe2203sp3"}]}],"ecosystem_specific":{"noarch":["ed25519-java-0.3.0-5.oe2203sp3.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2203sp3.noarch.rpm"],"src":["ed25519-java-0.3.0-5.oe2203sp3.src.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"ed25519-java","purl":"pkg:rpm/openEuler/ed25519-java\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.0-5.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["ed25519-java-0.3.0-5.oe2203sp4.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2203sp4.noarch.rpm"],"src":["ed25519-java-0.3.0-5.oe2203sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"ed25519-java","purl":"pkg:rpm/openEuler/ed25519-java\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.0-5.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["ed25519-java-0.3.0-5.oe2403.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2403.noarch.rpm","ed25519-java-0.3.0-5.oe2403sp1.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2403sp1.noarch.rpm"],"src":["ed25519-java-0.3.0-5.oe2403.src.rpm","ed25519-java-0.3.0-5.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"ed25519-java","purl":"pkg:rpm/openEuler/ed25519-java\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.0-5.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["ed25519-java-0.3.0-5.oe2403sp1.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2403sp1.noarch.rpm"],"src":["ed25519-java-0.3.0-5.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"ed25519-java","purl":"pkg:rpm/openEuler/ed25519-java\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.0-5.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["ed25519-java-0.3.0-5.oe2003sp4.noarch.rpm","ed25519-java-javadoc-0.3.0-5.oe2003sp4.noarch.rpm"],"src":["ed25519-java-0.3.0-5.oe2003sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1334"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36843"}],"database_specific":{"severity":"Medium"}}