Your message dated Sat, 20 Jul 2024 10:34:39 +0000
with message-id <e1sv7qf-005glt...@fasolo.debian.org>
and subject line Bug#1067456: fixed in erlang-jose 1.11.10-1
has caused the Debian Bug report #1067456,
regarding erlang-jose: CVE-2023-50966
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1067456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067456
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: erlang-jose
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for erlang-jose.
CVE-2023-50966[0]:
| erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow
| attackers to cause a denial of service (CPU consumption) via a large
| p2c (aka PBES2 Count) value in a JOSE header.
https://github.com/potatosalad/erlang-jose/issues/156
https://github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50966
https://www.cve.org/CVERecord?id=CVE-2023-50966
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: erlang-jose
Source-Version: 1.11.10-1
Done: Philipp Huebner <debala...@debian.org>
We believe that the bug you reported is fixed in the latest version of
erlang-jose, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1067...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Philipp Huebner <debala...@debian.org> (supplier of updated erlang-jose package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jul 2024 12:02:54 +0200
Source: erlang-jose
Architecture: source
Version: 1.11.10-1
Distribution: unstable
Urgency: medium
Maintainer: Ejabberd Packaging Team <ejabb...@packages.debian.org>
Changed-By: Philipp Huebner <debala...@debian.org>
Closes: 1067456
Changes:
erlang-jose (1.11.10-1) unstable; urgency=medium
.
* New upstream version 1.11.10 (Closes: #1067456)
* Updated years in debian/copyright
Checksums-Sha1:
4b256e9082862e7219804ea93c136cb032daa254 2031 erlang-jose_1.11.10-1.dsc
4ea4ad2d87c3b160917b12d15cbc773b77cc4e04 336522 erlang-jose_1.11.10.orig.tar.gz
8cec1e706f8607817de2936b34bdceee3bbdca82 8268
erlang-jose_1.11.10-1.debian.tar.xz
eaa5f9b787d523bcd96f8753b9cc6e58bbb09241 14859
erlang-jose_1.11.10-1_amd64.buildinfo
Checksums-Sha256:
782842636e27662ae354fad8df2fb0b4d9e97e7897c1e4b3cd607222d5e001e4 2031
erlang-jose_1.11.10-1.dsc
8c5b01e67fa4a300b79240c03090c98b30e86a2dbf814807f0908655e1491765 336522
erlang-jose_1.11.10.orig.tar.gz
ba85e606c526ab819d533eeaba85a45689660fae030cc4889da715dbbed38904 8268
erlang-jose_1.11.10-1.debian.tar.xz
2ec707186409ff1e723276cf0e297e3fa03d906ba87f2a8dd0c44cfcc4d9e062 14859
erlang-jose_1.11.10-1_amd64.buildinfo
Files:
1162af25cb32adb2298905b1bd91fb08 2031 libs optional erlang-jose_1.11.10-1.dsc
9255cd805bacb58ff408c514427725a3 336522 libs optional
erlang-jose_1.11.10.orig.tar.gz
a7409b82ae898323f0de2fcec678b035 8268 libs optional
erlang-jose_1.11.10-1.debian.tar.xz
16e0063dc05d071c2e27da5571d32a2f 14859 libs optional
erlang-jose_1.11.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEECEGLvkRyDy26xQXsunokltrkDRwFAmabkAIVHGRlYmFsYW5j
ZUBkZWJpYW4ub3JnAAoJELp6JJba5A0c7H8P/3UAv+oFCE16QZRdXAR53pPhDGGb
S5QBUXAfa49P7nQbz+LfXTwoDjMbkzg14vSrYGVGZKXrAN0SeFsrHA+qQ2OjQLXc
bF/X25J4vkyQ72fif/cYMxmQBZSELv7XvMTUTgwsQZSu4QquWfwxD1CqBrtkA8Cu
VJvBHkv77sJZnvyG4+5NqWSvfdx53JFWwBPdm4mvkjL2ZllhXPFJcp1TwBp3vFOU
GvAy8miwp9zvxpbBm430bhGYKrGUCIqt+nrlEwnhRmTXDygrWcYYLYBpN4k8cjJB
FTHJhDj+OFhGzBMc1zGaP+aJHtyE6ufgjFYOVgBEE7ovLoOYBhDKxygDTCQvfCL/
c7dAPqRKotpSk7prw6XqvejoJsviMOdfY1F+3UqmpdmiC+KDez31nBOlC7JJxGQg
iJbu00AsGb/vOOarPgvtC4dBcmEqnFob+zDWppyum+w26nQAfqpRAxWZZ0Sjnoxa
8OVkCr0WhCJApbgg0aiZFEsDmuu2qd9xkA7185hQxrNVZbSmgCwWYcWdYgPpeHlj
WU6EL6VOqUgDauDGtKNF0Niug27REPdHlRTf2ddPADo0ZCxOQSzZQDNE3xCN2TAV
6o4047nx1b/dS0R9Sv0p2udrZhxNR0clnWPZJzUvUSJmwO6MdhWHpWwzydcARpGg
Hs9zTdhpKX2XT7GM
=sFji
-----END PGP SIGNATURE-----
pgpSBBwMcdF2Q.pgp
Description: PGP signature
--- End Message ---
