CVE for dependency ecdsa

[trupus]

Hi,

I noticed you switched from starkbank-ecdsa to ecdsa. There are currently 2 vulnerabilities for ecdsa CVE-2024-23342, PVE-2024-64396.

For now I'm just ignoring them in my CI pipeline, but what would be a better solution going forward?

Thanks

[manisha1997]

Hello!
Thanks for raising the issue.
We are taking a look at alternatives.

[gwynhowell]

@manisha1997 any updates on this?

[avalatea]

Paper trail:

• starkbank-ecdsa was removed as part of fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency #1085
• ecdsa have no plans to fix the vulnerability: CVE-2024-23342 Timing Attack tlsfuzzer/python-ecdsa#330