[Debian-iot-maintainers] Bug#1063534: libjwt: CVE-2024-25189
Moritz Mühlenhoff
jmm at inutil.org
Fri Feb 9 14:02:11 GMT 2024
Source: libjwt
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libjwt.
CVE-2024-25189[0]:
| libjwt 1.15.3 uses strcmp (which is not constant time) to verify
| authentication, which makes it easier to bypass authentication via a
| timing side channel.
The report is
https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
but it doesn't seem to have been reported upstream yet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25189
https://www.cve.org/CVERecord?id=CVE-2024-25189
Please adjust the affected versions in the BTS as needed.
More information about the Debian-iot-maintainers
mailing list