Your message dated Tue, 25 Jul 2023 20:48:05 +0000 with message-id <e1qoowv-000emn...@fasolo.debian.org> and subject line Bug#1041423: fixed in cjose 0.6.2.2-1 has caused the Debian Bug report #1041423, regarding cjose: CVE-2023-37464 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1041423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041423 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cjose X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for cjose. CVE-2023-37464[0]: | OpenIDC/cjose is a C library implementing the Javascript Object | Signing and Encryption (JOSE). The AES GCM decryption routine | incorrectly uses the Tag length from the actual Authentication Tag | provided in the JWE. The spec says that a fixed length of 16 octets | must be applied. Therefore this bug allows an attacker to provide a | truncated Authentication Tag and to modify the JWE accordingly. | Users should upgrade to a version >= 0.6.2.2. Users unable to | upgrade should avoid using AES GCM encryption and replace it with | another encryption algorithm (e.g. AES CBC). https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e (v0.6.2.2) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37464 https://www.cve.org/CVERecord?id=CVE-2023-37464 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: cjose Source-Version: 0.6.2.2-1 Done: Moritz Schlarb <schla...@uni-mainz.de> We believe that the bug you reported is fixed in the latest version of cjose, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1041...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Schlarb <schla...@uni-mainz.de> (supplier of updated cjose package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Jul 2023 21:55:33 +0200 Source: cjose Binary: libcjose-dev libcjose0 libcjose0-dbgsym Architecture: source amd64 Version: 0.6.2.2-1 Distribution: unstable Urgency: high Maintainer: Moritz Schlarb <schla...@uni-mainz.de> Changed-By: Moritz Schlarb <schla...@uni-mainz.de> Description: libcjose-dev - C library implementing the JOSE standard (development files) libcjose0 - C library implementing the JOSE standard Closes: 1041423 Changes: cjose (0.6.2.2-1) unstable; urgency=high . * New upstream version 0.6.2.2 + Fixes CVE-2023-37464: incorrect Authentication Tag length usage in AES GCM decryption Closes: #1041423 Checksums-Sha1: 1db3e97aa79abebaefc15b4bca0512dbe90e59e3 2027 cjose_0.6.2.2-1.dsc 4037d1a8ebef22d9fea22dd9e236a91bf1c6166c 498461 cjose_0.6.2.2.orig.tar.gz 95e1def2ef45f4c9868fbfc40aa076a42c78df23 4156 cjose_0.6.2.2-1.debian.tar.xz 84b146252e1b743b1c881305c680292bc6f91b4b 7119 cjose_0.6.2.2-1_amd64.buildinfo 1711d72eed2e097f6d96174c0c0bc463ea659877 45052 libcjose-dev_0.6.2.2-1_amd64.deb 853bf30cca25b667bf29b59ece7515bf535a33c6 85936 libcjose0-dbgsym_0.6.2.2-1_amd64.deb a855a7486d849801403fd78486321c12df62b8e2 36452 libcjose0_0.6.2.2-1_amd64.deb Checksums-Sha256: b5a9192c77359ca995ab23cd06664b4c297d1c7e566cec35c8785b21e014d473 2027 cjose_0.6.2.2-1.dsc 7bb257bf56580cd788473725f88a72263b6de15282060fa211b2a838ad75a0f9 498461 cjose_0.6.2.2.orig.tar.gz 1f27ec7f1f5ec0df15fb064ce7eb82d4e8772d8f8db40997e2d9db526cf4ed02 4156 cjose_0.6.2.2-1.debian.tar.xz 5a134b8fae2beb8e695c3e0e300729d4000a231ad50dc356635441cc7dcc8451 7119 cjose_0.6.2.2-1_amd64.buildinfo c47f057b420d09fa53427f36665d9bdfb20103686f6bebe0ff17d0bdd535f8d4 45052 libcjose-dev_0.6.2.2-1_amd64.deb 3bb006d2f146c85cbd6b5bcfeb6ddf4ec8a5d648e6950a34ac2fc5463a3c48ff 85936 libcjose0-dbgsym_0.6.2.2-1_amd64.deb 7540d7857d7dfa3e28395da6d18e5c7481ae3d2f34acb6fe44196cada7b3bfc9 36452 libcjose0_0.6.2.2-1_amd64.deb Files: 55a50983bc8e35c7d46a82349508654d 2027 libs optional cjose_0.6.2.2-1.dsc ad9129b3b984436baf30e9a0287ca441 498461 libs optional cjose_0.6.2.2.orig.tar.gz 736e221693a5bb3c17ef01aed7d73fe2 4156 libs optional cjose_0.6.2.2-1.debian.tar.xz bcd63fec1adcaf2f1ee6d070db8b1297 7119 libs optional cjose_0.6.2.2-1_amd64.buildinfo 711fd4000cfc060a32874957c9025d81 45052 libdevel optional libcjose-dev_0.6.2.2-1_amd64.deb c46aadfb2f027b6e6e661cdcbe689794 85936 debug optional libcjose0-dbgsym_0.6.2.2-1_amd64.deb 75cac416168046729a7537198febc8ad 36452 libs optional libcjose0_0.6.2.2-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmTAKQ8WHHNjaGxhcmJt QHVuaS1tYWluei5kZQAKCRAMJLhBx926r+sjD/9zDPFBGqYm7LQxw7xM/Hbjhzko eW1zKkT0CxWNcrKEumvRn233sHxfKX9jZb0maeWqS1O0cHcdksliAGYVm75HMCk+ HWDd/drpRtYmX7CFj8rzvvSFKK42RHvRnEYdVv3PZE2VHLBVEruhKYYC0acXJLOx fE2d2/EUAxCCWBqwnGpTmFMaUoYFlIKFs4Vz6jH5lXX4Kr7N33vy/m7rPgz8UeCm lq5qcAO3vD/9CaaCe21uFH0eaM7yZ0g0xZVHCzYgvtPBEmt2fvV4TMq2v2p0jNIH hkSVpMwEecGJkwnOsBXMzK4uj+UO8o8SpW3x57W2oqjpBU9Dwgmw8PszbzjuK9iw j7BuzGKHiExxwjp0slfsdm9sWtKvBYtky3VH1iFWbLyskYdl38QdM/NiC7WmMPC9 x2ReaWvpv7hoa9zU1/QpiVHkdeYx4rUV+KVyEmuXmiy3pkgLnmc4m1tgXfzfdeqv cOQEc65AKy/VmCEObUs1dX2GOYbG2BpMOrYpYokDK0bq0YyTvgOi9XNddEAfb9Cp JU6ATJFR9MUTiIdXMCXOxJX/tfy9LiGO2tZuiMq02pxBrX71k/9iJ3OX7gMhJkG9 YlgJVzpifqu7i7d2Ea/I5PqG9xz4TMC/DGF/MdOG6+ho4Bk1bPMDfWKwX23m5h5g CJmocGwTNp6Ium24Dw== =IXvz -----END PGP SIGNATURE-----
--- End Message ---
