Your message dated Wed, 13 Mar 2024 15:22:00 +0000
with message-id <e1rkqqa-0079ia...@fasolo.debian.org>
and subject line Bug#1065814: fixed in golang-github-go-jose-go-jose 4.0.1-1
has caused the Debian Bug report #1065814,
regarding golang-github-go-jose-go-jose: CVE-2024-28180
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1065814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-go-jose-go-jose
Version: 3.0.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-go-jose-go-jose.
CVE-2024-28180[0]:
| Package jose aims to provide an implementation of the Javascript
| Object Signing and Encryption set of standards. An attacker could
| send a JWE containing compressed data that used large amounts of
| memory and CPU when decompressed by Decrypt or DecryptMulti. Those
| functions now return an error if the decompressed data would exceed
| 250kB or 10x the compressed size (whichever is larger). This
| vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28180
https://www.cve.org/CVERecord?id=CVE-2024-28180
[1] https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
[2]
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
Regards,
Salvtore
--- End Message ---
--- Begin Message ---
Source: golang-github-go-jose-go-jose
Source-Version: 4.0.1-1
Done: Bo YU <tsu.y...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
golang-github-go-jose-go-jose, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1065...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bo YU <tsu.y...@gmail.com> (supplier of updated golang-github-go-jose-go-jose
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Mar 2024 22:53:16 +0800
Source: golang-github-go-jose-go-jose
Architecture: source
Version: 4.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Bo YU <tsu.y...@gmail.com>
Closes: 1065814
Changes:
golang-github-go-jose-go-jose (4.0.1-1) unstable; urgency=medium
.
* New upstream version 4.0.1
- CVE-2024-28180: Go JOSE vulnerable to Improper Handling of
Highly Compressed Data (Data Amplification). Reported by
Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab
(@zer0yu and @chenjj). (Closes: #1065814)
* drop patch which has been applied into upstream
Checksums-Sha1:
f6b673a1a8bc1fce014eece154df8c774e60cc39 2450
golang-github-go-jose-go-jose_4.0.1-1.dsc
af1598147b98b50f313fab0d31beb6380872a533 319043
golang-github-go-jose-go-jose_4.0.1.orig.tar.gz
d3cd996ae8fbcc8860ce8348a560da1458f834e7 3712
golang-github-go-jose-go-jose_4.0.1-1.debian.tar.xz
f4f8f124f4fa378a1758e0239adbeff1dbf9046b 7607
golang-github-go-jose-go-jose_4.0.1-1_amd64.buildinfo
Checksums-Sha256:
f8e4ddeb34af5a161f1aaecf59e95ff6569b3e6c79e62a6a0e61e2eddbda8e34 2450
golang-github-go-jose-go-jose_4.0.1-1.dsc
e8177ab716bb1aaef8fa0bba5e0ee3ff1f4c7570b5a4107256c97081ed76b821 319043
golang-github-go-jose-go-jose_4.0.1.orig.tar.gz
32321202d04650de2f18666c52266ff529223137a2c6b38359377d7874ff46b0 3712
golang-github-go-jose-go-jose_4.0.1-1.debian.tar.xz
dd75fe6f83072acede997a8a08fc40e203c5528e646f8f9b47847c320f6b30e2 7607
golang-github-go-jose-go-jose_4.0.1-1_amd64.buildinfo
Files:
c3bb838ed250fcf42597bfc150dfca9d 2450 golang optional
golang-github-go-jose-go-jose_4.0.1-1.dsc
a30aad661fd4efa97c08b2bdf3edc071 319043 golang optional
golang-github-go-jose-go-jose_4.0.1.orig.tar.gz
ecb2a8c1ce637a1e44179dfc3afd3f09 3712 golang optional
golang-github-go-jose-go-jose_4.0.1-1.debian.tar.xz
ba5d4f22de2de311fc237f482d721418 7607 golang optional
golang-github-go-jose-go-jose_4.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIcmhjYVTlmab0tjp+RVP3hQ+S68FAmXxwGAACgkQ+RVP3hQ+
S68H8hAApSDhwf8DWL7ldkY0/uJ9J1EN6MCLynWJtf/zeV80xAQDy7o60w5mUe3D
pHr+KvTWduDQC1fF1BfEmVbLZL7jwfjh+cwf8fRfxDc+OgE2eowcyxltz3AemaE/
YaE92tbfpDNydLKtcvPPGQcaxYf2vMKDEtP+KrJ0xLgmXtyrOrsANPWaVPjSc8UK
0LFZsinWY31djwwvukiGhQ2P6Wqzq/2lhka57Ak6dUFClivRexgoUwd82XoV0h4A
mDI/LyLEj5dlu7QMs3pBqNuccnBKLDAsvsvvCDnCM5J/VpQnc0U/IudZY0MgOBSB
qZiAnqQdLZiwJyABKkgT4QY8rCsQYdVuq902IDuVRTuAX9ve5tLeGYQTs980orTg
WWe+LbG4M9BTHbFiKjAa6WxRqCHL3uFciwBHI5ebGO3/t3Ns5iMbYdHm4L0H28E6
LYgeIx2sM6MotdqMOfhN3AXtxlwgIxPRzbn+ef7Z4PHJ/257lFv2uBKPicwpsIme
JEuwWr1Uyk9vLt4lZrz7m3L0hswztl4sFTFVXeG0Bl0s0itRP/dHBY9YBgu1aU6B
clz8WHIoq1aZFJPtiJ2DtJvyfzZfvxcYeAvXvuIqH6sMgF434qnP930UMniHHoOl
QZZe/42hLD5rrs8WVYIGAWSI3Cv49XOCpxRORTEsU7FAfFdYTH4=
=JB5e
-----END PGP SIGNATURE-----
pgpcksyvETQ3C.pgp
Description: PGP signature
--- End Message ---
