CVE-2020-36843 Vulnerability

[Muthu-Palaniyappan-OL]

This library is vulnerable to CVE-2020-36843. Can we have a patch for this vulnerability ?

[Muthu-Palaniyappan-OL]

@bbottema can i get a fix for this vulnerability ?

[bbottema]

How is this library affected? What's the dependency chain? I haven't seen any sec scans that report this for this library (yet).

[Muthu-Palaniyappan-OL]

We pull net.i2p.crypto.eddsa:0.3.0 in pom.xml, which is affected by CVE-2020-36843

<dependency>
    <groupId>net.i2p.crypto</groupId>
    <artifactId>eddsa</artifactId>
    <version>0.3.0</version>
</dependency>

Maven Link: net.i2p.crypto/eddsa/0.3.0

[bbottema]

Oh I just saw this library directly depends on it. I'll have a look today, probably.

[Muthu-Palaniyappan-OL]

#8

Does this sound good ?

[bbottema]

It looks good to me. I want to test this change with a few down stream dependencies first, though. Thank you for the contribution!

[Muthu-Palaniyappan-OL]

Thanks a lot for maintaining this project 👏 .

Can you suggest me how to test ? mvn test is failing for me

[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.01 s <<< FAILURE! - in org.simplejavamail.utils.mail.dkim.DkimMessageTest
[ERROR] checkCreatesSameMessageAsBefore  Time elapsed: 0.01 s  <<< FAILURE!
org.opentest4j.AssertionFailedError: SIMPLE SHA-1 / random5.txt ==> array contents differ at index [233], expected: <79> but was: <97>
	at org.simplejavamail.utils.mail.dkim.DkimMessageTest.checkCreatesSameMessageAsBefore(DkimMessageTest.java:86)
	at org.simplejavamail.utils.mail.dkim.DkimMessageTest.checkCreatesSameMessageAsBefore(DkimMessageTest.java:72)

What can be a my next steps to get this PR merged and new version of java-utils-mail-dkim get published ? I have updated my PR, can i get a code review #8

i am a new to Open-source. 😅

[bbottema]

Now you wait until I've reviewed and tested the change :)

About the test. I fI remember correctly, the test fails under Windows machines, but works for Linux machines. I'm not entirely sure why that is, but it's been like that since before I took over the code base.

[bbottema]

Released in 3.2.1. Again, thank you for your help in this.

[Muthu-Palaniyappan-OL]

Thanks a lot 🙏 Great Project 👏 Great Community as well !!