Source: golang-github-go-jose-go-jose Version: 3.0.1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-go-jose-go-jose. CVE-2024-28180[0]: | Package jose aims to provide an implementation of the Javascript | Object Signing and Encryption set of standards. An attacker could | send a JWE containing compressed data that used large amounts of | memory and CPU when decompressed by Decrypt or DecryptMulti. Those | functions now return an error if the decompressed data would exceed | 250kB or 10x the compressed size (whichever is larger). This | vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 [1] https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g [2] https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a Regards, Salvtore
