[JOC-2020] Update eddsa version 0.3.0 due to 3rd Party Vulnerability issue CVE-2020-36843 - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.5.11, 2.7.3, 2.8.0
Fix Version/s: 2.5.12, 2.7.6, 2.8.1
Component/s: None
Labels:
None

CVE-ID:
CVE-2020-36843

Description

Current Situation

JS7 JOC Cockpit and Agent ship with 3rd party library eddsa 0.3.0 through the use of 3rd party library sshj.
a vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2020-36843
no newer version of eddsa is available at the time, which fixes the problem

Findings

a fix from a different publisher is available since march 2019

- https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712#diff-e28e88f167acc248cdff94ca65274c83be213a12f5a2e236df3a862933643e07
it is suggested to be merged into the publishers project
- see https://github.com/str4d/ed25519-java/issues/82#issue-727629226A new
A new version 0.40.0 of sshj has been published on 2025-05-13 which does not make use the vulnerable library eddsa anymore.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Ajay Kumbhkar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 28 March 2025 09:56

Updated:: 18 September 2025 17:36

Resolved:: 11 August 2025 09:20