Your message dated Sat, 12 Aug 2023 11:02:08 +0000
with message-id <e1qumnk-00cyls...@fasolo.debian.org>
and subject line Bug#1041423: fixed in cjose 0.6.2.1-1+deb12u1
has caused the Debian Bug report #1041423,
regarding cjose: CVE-2023-37464
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1041423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cjose
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for cjose.
CVE-2023-37464[0]:
| OpenIDC/cjose is a C library implementing the Javascript Object
| Signing and Encryption (JOSE). The AES GCM decryption routine
| incorrectly uses the Tag length from the actual Authentication Tag
| provided in the JWE. The spec says that a fixed length of 16 octets
| must be applied. Therefore this bug allows an attacker to provide a
| truncated Authentication Tag and to modify the JWE accordingly.
| Users should upgrade to a version >= 0.6.2.2. Users unable to
| upgrade should avoid using AES GCM encryption and replace it with
| another encryption algorithm (e.g. AES CBC).
https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
(v0.6.2.2)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37464
https://www.cve.org/CVERecord?id=CVE-2023-37464
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: cjose
Source-Version: 0.6.2.1-1+deb12u1
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cjose, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1041...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated cjose package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Aug 2023 16:06:39 +0200
Source: cjose
Architecture: source
Version: 0.6.2.1-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Moritz Schlarb <schla...@uni-mainz.de>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1041423
Changes:
cjose (0.6.2.1-1+deb12u1) bookworm-security; urgency=medium
.
* CVE-2023-37464 (Closes: #1041423)
Checksums-Sha1:
b1c57d27f7457f134a33e9812920f06a0c13cc81 2026 cjose_0.6.2.1-1+deb12u1.dsc
d010e4f2221c124cbd81127f18aa43a4cfbd01c9 493790 cjose_0.6.2.1.orig.tar.gz
09d8ca2d7a3af36a54249b338c0e04493ef9144b 5380
cjose_0.6.2.1-1+deb12u1.debian.tar.xz
2acc51ea6d2e0f6e9ca8a448537dddd9890df078 5812
cjose_0.6.2.1-1+deb12u1_source.buildinfo
Checksums-Sha256:
c23b29278080e6f69febcfd49803a92563a8e97cb006a6217e5f7c08219ff1c1 2026
cjose_0.6.2.1-1+deb12u1.dsc
90924f021878bfdb53536f8e3495876047d5b5ec34de96b431883c85f12c459a 493790
cjose_0.6.2.1.orig.tar.gz
b46d6fd5551331f4cb2066033d8c545358e3dc2d401bee837202cf25a46c8732 5380
cjose_0.6.2.1-1+deb12u1.debian.tar.xz
c06824476929b80984a0b00f72f85cb76406c53fc4a12b9fa310e8bcb3a69b44 5812
cjose_0.6.2.1-1+deb12u1_source.buildinfo
Files:
9e1c6783820ee0df7c104bb56de77245 2026 libs optional cjose_0.6.2.1-1+deb12u1.dsc
c33c2583ed64f0c66da35d6aa3361936 493790 libs optional cjose_0.6.2.1.orig.tar.gz
06c71ffacd821c6dc4b685b77e33cd99 5380 libs optional
cjose_0.6.2.1-1+deb12u1.debian.tar.xz
2c172e8cb73fd18daa65a627ec042a8d 5812 libs optional
cjose_0.6.2.1-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTNBnIACgkQEMKTtsN8
TjbQDQ/+KfQs7OlHPeoZvF9wSBiJqPeh84wtARrVGVV0w9aQ7PUnTuLODiQR/ZxS
HSJRcWP5Nje1ftM84G6g5xNVfVhy885/cKV1B40ValjT1AZ3TVBCHFmP7+EI97yI
5c5vHqIyG0FT1cuHCjKrcSCIioHfyUov/js/b8gKLZkco36+elWDqm/ulju3fD2L
LDMRnnsNxM+bpApP3uAmpJrxuY2GacKeCHA75saonSWzumo5CH6KijCkr//uyTPD
JbOtUeogSCVfWdA49p1K19ZD+NY9i56iQ2mZGK6lAC9A+KIwBgRpun21o3PBpLsp
JAAmJPO9GFZIUS5W/kYQo9DYDIZ/aGKtMBUmbWtJgHiuYliTzOy3vmy8JiaB8Vs9
MhE6i6GAVqhgb7himM+rHT9KYsO1EKewg+qqefE71mDukl3vTR1YzxLtRiBuAlD9
jn178/ZK1fRP36elUqRQ/iiSRlrfpwf9TOVQnZ7v0W/8XbHiZivYWoKBUkEhB1mI
lR5jwr5r3ZTo5+5gews4uqUu6uRhGEW4UDuHvBW9v21HsHnHpnTUhCozvJQWRjfz
xwpLrotK386YkCCe2Av9PCtmbnpYoUUNcG/6DrM/XvIGh/ieYQx+JVse+NjesCUS
xmjPod0jwG5E66KZcmEXYri9g3BvEnMO8nIQIM0zsGIYs/+GdFE=
=IUOv
-----END PGP SIGNATURE-----
--- End Message ---
