Your message dated Thu, 02 May 2024 06:20:36 +0000
with message-id <[email protected]>
and subject line Bug#1065688: fixed in python-jwcrypto 1.5.6-1
has caused the Debian Bug report #1065688,
regarding python-jwcrypto: CVE-2024-28102
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-jwcrypto
Version: 1.5.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-jwcrypto.
CVE-2024-28102[0]:
| JWCrypto implements JWK, JWS, and JWE specifications using python-
| cryptography. Prior to version 1.5.6, an attacker can cause a denial
| of service attack by passing in a malicious JWE Token with a high
| compression ratio. When the server processes this token, it will
| consume a lot of memory and processing time. Version 1.5.6 fixes
| this vulnerability by limiting the maximum token length.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28102
https://www.cve.org/CVERecord?id=CVE-2024-28102
[1] https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
[2]
https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-jwcrypto
Source-Version: 1.5.6-1
Done: Timo Aaltonen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-jwcrypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated python-jwcrypto
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2024 09:03:21 +0300
Source: python-jwcrypto
Built-For-Profiles: noudeb
Architecture: source
Version: 1.5.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1065688
Changes:
python-jwcrypto (1.5.6-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2024-28102 (Closes: #1065688)
Checksums-Sha1:
5f201fc6ef4d0137506a18682cce992cba34e012 2118 python-jwcrypto_1.5.6-1.dsc
9cddb10e70995a4dd4d6285ece1ccd1956fe5767 97053
python-jwcrypto_1.5.6.orig.tar.gz
36b14e81be79204f11d94457a9b4720b0bb7da70 2512
python-jwcrypto_1.5.6-1.debian.tar.xz
2c23bab8722543bf4fd3b3d304ba512299aa70a3 7971
python-jwcrypto_1.5.6-1_source.buildinfo
Checksums-Sha256:
972e5a344bd38c63f00bbc80b7bda8c4aa16778c552b1bcb39ac9200ce219040 2118
python-jwcrypto_1.5.6-1.dsc
14f0673131e3612cdef22c81b84db4c32a9ee4d94c0053579c92e3af613ab51f 97053
python-jwcrypto_1.5.6.orig.tar.gz
3aea6cef4ca6585530b684107f31c0dde8974317eced06dff5b4302ba9988415 2512
python-jwcrypto_1.5.6-1.debian.tar.xz
98e3cd7067b4eaed0e43a0ff575dae3f95625ebd8e7811e85fa7aeb39ba64825 7971
python-jwcrypto_1.5.6-1_source.buildinfo
Files:
a583a278c128176c2ba2cb8f4e41b1dc 2118 python optional
python-jwcrypto_1.5.6-1.dsc
0294fcb15774bec9201c03203c9f7feb 97053 python optional
python-jwcrypto_1.5.6.orig.tar.gz
ce64082b6a50f7430c82fe0e2a45fb97 2512 python optional
python-jwcrypto_1.5.6-1.debian.tar.xz
af7696548d6c7ac5f58718cbd1e6eff8 7971 python optional
python-jwcrypto_1.5.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmYzLOkACgkQy3AxZaiJ
hNyITQ//S1YrbV2LrzUaOG3/w6/6r0+ScoBFTXhU3CE0djVG+kiWdgL3/0m7Shpf
meS6yEJuc7Zysc3lb7Zmpu4Wb5RwsaVFkV1msvNHVrc6kwWpgqffc828VdYMSzj1
/PVDAiHzMUKt7YHkWlNlh8nF6ARfU5zYyOhxGHvcuLf1IRLDNK1eKwJdqrxni9TZ
DCLkz1C301H0sOvaRkc4c3gM8wzwTSrOv2Zb/i6YUErOHYETIdVuL+soPteVk8VG
gbn8fb+/gscALZoC5kMDg2HuNtWl/pJsXW39tcsYE2egYEXnW9zwiGw/RRktXPXn
8IZApihGkWEiX8g6fDghsL9lwC8IVJr1CnhUdfK0/uYdOkBzCJtBebWZu9Pdv7uJ
s456dGgILJsT0ANHcECCZdGR/e8h2DbwfI95Rtb+HAlrxYDUaJ41uTUbRrdE+8Ql
WBeFAsz34XZoI77xdvJGB8y09coJZd7lZMKoFplm/TfZcsqttQ43FGXTwsqKplMK
c3fLCOnlc0et1QWEPKuuOtYzo/bH5yFpl/NEHePPZG/cZp4AU1RlISnZmhrhhmPF
KO+9KGgTE8/+38uDsDtEjHh6M1eLmrROaV5SfK8+FzOverXF65QBOkwARWBWibWR
1uvAKrrUHCzY0Gw2MAR9Ve/LARi2YSMGlzObY4DkZNkDAa3lrVo=
=o9ZC
-----END PGP SIGNATURE-----
pgpKEF5UJZsLn.pgp
Description: PGP signature
--- End Message ---
