CVE for dependency ecdsa

[trupus]

Hi,

I noticed you switched from starkbank-ecdsa to ecdsa. There are currently 2 vulnerabilities for ecdsa CVE-2024-23342, PVE-2024-64396.

For now I'm just ignoring them in my CI pipeline, but what would be a better solution going forward?

Thanks

[manisha1997]

Hello!
Thanks for raising the issue.
We are taking a look at alternatives.

[gwynhowell]

@manisha1997 any updates on this?

[avalatea]

Paper trail:

• starkbank-ecdsa was removed as part of fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency #1085
• ecdsa have no plans to fix the vulnerability: CVE-2024-23342 Timing Attack tlsfuzzer/python-ecdsa#330

[yonatan-shorani]

Hi,

Any update?

[dacevedo12]

unreal.

https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#security

[an-squared]

Hi team,

We’re currently using the SendGrid Python library primarily for sending emails in our application, and our security scanner has flagged a vulnerability (CVE-2024-23342) related to the ecdsa dependency included in the latest release.
Given the severity and the absence of a patched version of ecdsa, we’re concerned about the impact on production systems.

We would appreciate it if you could provide an estimated timeline for when the fix might be available.

Thanks for your support!

[pmdevita]

Any update on this?

[garikkh]

+1 on prioritizing this fix and possibly using #1114 to replace the ecdsa library altogether.

Our product uses sendgrid but will not be upgrading to a vulnerable version of it.