Steve McIntyre kirjoitti 30.4.2024 klo 19.19:
Hi!
On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote:
Source: python-jwcrypto
Version: 1.5.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-jwcrypto.
CVE-2024-28102[0]:
| JWCrypto implements JWK, JWS, and JWE specifications using python-
| cryptography. Prior to version 1.5.6, an attacker can cause a denial
| of service attack by passing in a malicious JWE Token with a high
| compression ratio. When the server processes this token, it will
| consume a lot of memory and processing time. Version 1.5.6 fixes
| this vulnerability by limiting the maximum token length.
We wanted this fixed in Pexip, so I've taken a look at this bug.
The upstream bugfix just needs a small rework so it applies cleanly to
the version in bookworm. Here's a debdiff for that that in case it's
useful.
I've pushed 1.5.6 to sid now, feel free to upload the proposed version
for bookworm, thanks.
--
t
