Update libsecp256k1 (overflowing signatures vulnerability)
tmpfs opened this issue · comments
The version of libsecp256k1
in use is vulnerable to overflowing signatures: https://rustsec.org/advisories/RUSTSEC-2021-0076.html.
An upgrade to 0.5
or later should fix the issue, any idea on how much effort is required for this update?
Happy to work with you to get this updated 🙏
Oh it looks like libsecp256k1
is only used for testing so I created #169 to add some clarity if anyone else stumbles upon this.
Thanks for reporting.
I'll remove this dependency altogether in exchange for the original secp256k1 library.