Your message dated Sat, 12 Aug 2023 11:02:43 +0000
with message-id <e1qumoj-00cyuz...@fasolo.debian.org>
and subject line Bug#1041423: fixed in cjose 0.6.1+dfsg1-1+deb11u1
has caused the Debian Bug report #1041423,
regarding cjose: CVE-2023-37464
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1041423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cjose
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for cjose.
CVE-2023-37464[0]:
| OpenIDC/cjose is a C library implementing the Javascript Object
| Signing and Encryption (JOSE). The AES GCM decryption routine
| incorrectly uses the Tag length from the actual Authentication Tag
| provided in the JWE. The spec says that a fixed length of 16 octets
| must be applied. Therefore this bug allows an attacker to provide a
| truncated Authentication Tag and to modify the JWE accordingly.
| Users should upgrade to a version >= 0.6.2.2. Users unable to
| upgrade should avoid using AES GCM encryption and replace it with
| another encryption algorithm (e.g. AES CBC).
https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
(v0.6.2.2)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37464
https://www.cve.org/CVERecord?id=CVE-2023-37464
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: cjose
Source-Version: 0.6.1+dfsg1-1+deb11u1
Done: Moritz Muehlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cjose, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1041...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated cjose package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Aug 2023 15:43:36 +0200
Source: cjose
Architecture: source
Version: 0.6.1+dfsg1-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Matthew A. Miller <linuxw...@outer-planes.net>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Closes: 1041423
Changes:
cjose (0.6.1+dfsg1-1+deb11u1) bullseye-security; urgency=medium
.
* CVE-2023-37464 (Closes: #1041423)
Checksums-Sha1:
4044988ec667301b89020a8d4f5e8ef4b4af30b6 2112 cjose_0.6.1+dfsg1-1+deb11u1.dsc
adf8464666d7fe2a83f6713127c60feca5ae928e 471889 cjose_0.6.1+dfsg1.orig.tar.gz
e1c8a0637d5825a118997b0744dfaf71558886b8 6096
cjose_0.6.1+dfsg1-1+deb11u1.debian.tar.xz
fa2b473e7f59d0b9c8165fe70e34154a009229ae 6055
cjose_0.6.1+dfsg1-1+deb11u1_source.buildinfo
Checksums-Sha256:
0d8d5ca090f21e1f46193dfc0f8ef372435a7bf3f02348eed185e3060a3782f0 2112
cjose_0.6.1+dfsg1-1+deb11u1.dsc
f62222b9331b9f1a916bd390bef3626fcf7869b84d2a5a0def82324b9346d7ff 471889
cjose_0.6.1+dfsg1.orig.tar.gz
85fa7a1baf75e73c8981a849dbc77865aa9bb14ad70c261011e181c3797f8242 6096
cjose_0.6.1+dfsg1-1+deb11u1.debian.tar.xz
d46f82c4c95feb2fb8b6cff5037726626e2f5585d3a7cae7c927c95e94b2eb44 6055
cjose_0.6.1+dfsg1-1+deb11u1_source.buildinfo
Files:
6cb956c033ccf4d5360bca27d114070e 2112 libs optional
cjose_0.6.1+dfsg1-1+deb11u1.dsc
5ca9e51c9471e8d0e61dc8e566ca438a 471889 libs optional
cjose_0.6.1+dfsg1.orig.tar.gz
04247b54cf18e1ad12887ec358c25dc7 6096 libs optional
cjose_0.6.1+dfsg1-1+deb11u1.debian.tar.xz
7be91782270f2bd9c5c2b26e608c6915 6055 libs optional
cjose_0.6.1+dfsg1-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTNBVkACgkQEMKTtsN8
TjbGgw//dqKjG/nmlkPmrl6JWlQl5xwKg5Y60ph+XGhpw5JrIOEV/r91RFAYfFPi
+orRcTJ48ZHwLDr8sl5ntFgdg97JmasD9KA9KEzOLZaQ7qEFUxx04HEi20KjJnJ4
S7H5IRzOgrt2M7yaYNcOTOveGDMzKQYwP3u42zTOCdcWLwb2wWbQ0uRkKQagrUBX
+RxKa70bSy7kKOfcs0lNG4EFkQNYNB4PVHQO2/4qzeuKMftI0ele8w4CqEc4twxW
MJFlVfEaoWb0TDyheHf2j92QE5WQ+ho4AYPXlxBjbXCAbJtX68LT+3vUHZ7eRz9W
k6G3oCPpBkhjRwJdIZ1e1Ac8Ss+ZMd48r7lEyPMNfVnshvyes7tuSI9xspp1shhA
fcbrO6PFMrL7ixsjjNdCV6ka1xR0mKmNtxDHlZuE634Ym8iOLx7imjq1CcSXuzaO
InZzyY/MQHhi/jZMvyjnB3CCowOsz7/UI8HAM1IOBFmDUFLvthHJ9eHlBpgkrKSH
tfue3S7LTMV1FALJdaJ+7wO8IW0nnSNBCGZCy5184UAy2/UmJZZQTNhZtcfVY+2L
oZChKa/Ei2V8jSfjR7A/Bsuo07jhhRbTmE25yptIQnKw3ZCib4nrlViwlWw8fcbH
i2o86eniSacfgweO5V4imq/BoYP87ZhYtvHGmmahBNXHqtGiu90=
=gv/U
-----END PGP SIGNATURE-----
--- End Message ---
