Skip to content

CVE-2020-36843 Vulnerability #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Muthu-Palaniyappan-OL opened this issue Apr 11, 2025 · 10 comments
Closed

CVE-2020-36843 Vulnerability #7

Muthu-Palaniyappan-OL opened this issue Apr 11, 2025 · 10 comments

Comments

@Muthu-Palaniyappan-OL
Copy link
Contributor

This library is vulnerable to CVE-2020-36843. Can we have a patch for this vulnerability ?
@Muthu-Palaniyappan-OL
Copy link
Contributor Author

@bbottema can i get a fix for this vulnerability ?

@bbottema
Copy link
Member

How is this library affected? What's the dependency chain? I haven't seen any sec scans that report this for this library (yet).

@Muthu-Palaniyappan-OL
Copy link
Contributor Author

Muthu-Palaniyappan-OL commented Apr 13, 2025
edited
Loading

We pull net.i2p.crypto.eddsa:0.3.0 in pom.xml, which is affected by CVE-2020-36843

<dependency>
    <groupId>net.i2p.crypto</groupId>
    <artifactId>eddsa</artifactId>
    <version>0.3.0</version>
</dependency>

Maven Link: net.i2p.crypto/eddsa/0.3.0

@bbottema
Copy link
Member

Oh I just saw this library directly depends on it. I'll have a look today, probably.

@Muthu-Palaniyappan-OL
Copy link
Contributor Author

#8

Does this sound good ?

@bbottema
Copy link
Member

It looks good to me. I want to test this change with a few down stream dependencies first, though. Thank you for the contribution!

@Muthu-Palaniyappan-OL
Copy link
Contributor Author

Thanks a lot for maintaining this project 👏 .

Can you suggest me how to test ? mvn test is failing for me

[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.01 s <<< FAILURE! - in org.simplejavamail.utils.mail.dkim.DkimMessageTest
[ERROR] checkCreatesSameMessageAsBefore  Time elapsed: 0.01 s  <<< FAILURE!
org.opentest4j.AssertionFailedError: SIMPLE SHA-1 / random5.txt ==> array contents differ at index [233], expected: <79> but was: <97>
	at org.simplejavamail.utils.mail.dkim.DkimMessageTest.checkCreatesSameMessageAsBefore(DkimMessageTest.java:86)
	at org.simplejavamail.utils.mail.dkim.DkimMessageTest.checkCreatesSameMessageAsBefore(DkimMessageTest.java:72)

What can be a my next steps to get this PR merged and new version of java-utils-mail-dkim get published ? I have updated my PR, can i get a code review #8

i am a new to Open-source. 😅

@bbottema
Copy link
Member

Now you wait until I've reviewed and tested the change :)

About the test. I fI remember correctly, the test fails under Windows machines, but works for Linux machines. I'm not entirely sure why that is, but it's been like that since before I took over the code base.

@bbottema
Copy link
Member

bbottema commented Apr 13, 2025
edited
Loading

Released in 3.2.1. Again, thank you for your help in this.

@Muthu-Palaniyappan-OL
Copy link
Contributor Author

Muthu-Palaniyappan-OL commented Apr 13, 2025
edited
Loading

Thanks a lot 🙏 Great Project 👏 Great Community as well !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbottema @Muthu-Palaniyappan-OL